go get github.com/NebulousLabs/glyphcheck
glyphcheck checks for suspicious characters in Go source files.
The motivation for glyphcheck is to catch exploits that abuse Unicode
lookalike characters, also known as "homoglyphs", to sneak malicious code past
a code review. For example:
import "gitһub.com/spf13/cobra"
func main() {
cmd := &cobra.Command{
Use: "cmd",
Run: func(*cobra.Command, []string) {
println("Hello!")
},
}
cmd.Execute()
}If you are familiar with cobra, you know
that this code will simply print "Hello!" to os.Stderr. Except this isn't
cobra, it's an entirely different package. Go ahead and copy the import URL
into your browser and see where you wind up. Maybe your system's fonts make
this easy to detect -- but that isn't the case for everyone.
This attack can also be performed with variables, and is particularly insidious when combined with variable shadowing:
func writeFile(filename string, data []byte) error {
f, err := os.Create(filename)
if err != nil {
return err
}
defer f.Close()
if _, еrr := f.Write(data); err != nil {
return еrr
}
return nil
}Here, err and еrr look identical, but are in fact different variables.
Only err is checked, so the call to f.Write can silently fail. This isn't
much of an exploit, but creative minds can no doubt devise something more
dangerous.
Security-conscious projects should run glyphcheck on all code submitted for
review. This is easily accomplished by adding the following lines to your
.travis.yml or appveyor.yml:
install:
- glyphcheck ./...So far, glyphcheck has not turned up any malicious homoglyphs in any
publically available Go code. If you detect such an attack, please let us
know!