Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential new sniff: scan code for "Trojan source" #286

Open
jrfnl opened this issue Nov 8, 2023 · 0 comments
Open

Potential new sniff: scan code for "Trojan source" #286

jrfnl opened this issue Nov 8, 2023 · 0 comments
Labels
Type: enhancement

Comments

@jrfnl
Copy link
Member

jrfnl commented Nov 8, 2023

Report from squizlabs/PHP_CodeSniffer#3465:

A new security advisory and associated article have recently been published about an attack vector called "Trojan Source" and someone already suggested to me to write a sniff to detect this pattern.

The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.
These visually reordered tokens can be used to display logic that, while semantically correct, diverges from the logic presented by the logical ordering of source code tokens.
Compilers and interpreters adhere to the logical ordering of source code, not the visual order.

A sniff could be written to detect these specific unicode control characters in files and flag these.
The attack has been confirmed to work in JS, but I expect it to also work in PHP, even though PHP is not mentioned in the paper. Will test this, of course, to confirm.

Would this be a sniff which would be acceptable for PHPCS itself (in a new Generic - Security category) or should I prepare it for one of the external standards ?

For the test data, I'd need a combination of both the typical attacks as well as text strings/comments with legitimate uses of those code points to prevent false positives.
That last part will probably be the hardest to handle, so code samples for that would be helpful to receive.

Links to info about Trojan Source:

The Security standard was my first thought, unfortunately I know from experience that that standard is not being actively maintained, so chances of the sniff ever getting merged are slim to none.

The repo for the standard is here: https://github.com/FloeDesignTechnologies/phpcs-security-audit/

When I finally have some breathing room again, I may consider taking over that standard or starting a fork which will be actively maintained, but that may be a while yet.

I might just create a sniff for this anyway and pull it to PHPCSExtra for now.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jrfnl