diff options
author | Daniel Smith <daniel.smith@qt.io> | 2021-11-09 14:46:27 +0100 |
---|---|---|
committer | Daniel Smith <Daniel.Smith@qt.io> | 2021-11-15 09:37:14 +0000 |
commit | 8b17acbfde3c6f86d29e62f5de14e6b9340ac3ce (patch) | |
tree | 8075464bd87370f63e3b01f92fe1f865078c206d | |
parent | 6fa8b6904a6775175dff46f3c0ccf87fa709c788 (diff) | |
download | qtrepotools-8b17acbfde3c6f86d29e62f5de14e6b9340ac3ce.tar.gz |
Ban Unicode Bi-directional override characters from all text files
Since gerrit cannot selectively disable display of unicode characters
the sanity bot should give a -2 on any change which includes
blacklisted unicode characters used in the bi-directional override
attack vector. These characters should not appear in any reasonable
code in The Qt Project.
See "Trojan Source: Invisible Vulnerabilities"
Authors: Nicholas Boucher and Ross Anderson, 2021
eprint: 2111.00169
archivePrefix: arXiv
primaryClass: cs.CR
url: https://arxiv.org/abs/2111.00169
Fixes: QTQAINFRA-4630
Change-Id: I1fbec7890239cf7ec6bb5b9f9a2f64b6a13aa60f
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
-rwxr-xr-x | git-hooks/sanitize-commit | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/git-hooks/sanitize-commit b/git-hooks/sanitize-commit index 3970789..5a95ca1 100755 --- a/git-hooks/sanitize-commit +++ b/git-hooks/sanitize-commit @@ -837,6 +837,11 @@ while (<DIFF>) { complain_ln("__OBJC__ will never be defined for non-Objective-C/C++ source files", "objc"); } } + # Check for Unicode Bi-directional Override exploit characters. + # See https://trojansource.codes/ + if (/[\x{202A}-\x{202E}\x{2066}-\x{2069}]/) { + complain_ln("Unicode bi-directional override characters", "bidi", 1) + } } else { flushChunk() if ($chunk); if (/^ /) { |