Potential new sniff: scan code for "Trojan source" #3465
Comments
|
I saw this come through our work security channel yesterday and had a similar thought around a sniff, but I don't think it belongs in the core. There is a PHPCS security standard that is integrated into Gitlab. I haven't used it, but it might be a good target: https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit |
|
Yes, that standard was my first thought, unfortunately I know from experience that that standard is not being actively maintained, so chances of the sniff ever getting merged are slim to none. The repo for the standard is here: https://github.com/FloeDesignTechnologies/phpcs-security-audit/ When I finally have some breathing room again, I may consider taking over that standard or starting a fork which will be actively maintained, but that may be a while yet. I might just create a sniff for this anyway and pull it to PHPCSExtra for now. |
|
Closing as replaced by PHPCSStandards/PHPCSExtra#286 |
A new security advisory and associated article have recently been published about an attack vector called "Trojan Source" and someone already suggested to me to write a sniff to detect this pattern.
A sniff could be written to detect these specific unicode control characters in files and flag these.
The attack has been confirmed to work in JS, but I expect it to also work in PHP, even though PHP is not mentioned in the paper. Will test this, of course, to confirm.
Would this be a sniff which would be acceptable for PHPCS itself (in a new
Generic - Securitycategory) or should I prepare it for one of the external standards ?For the test data, I'd need a combination of both the typical attacks as well as text strings/comments with legitimate uses of those code points to prevent false positives.
That last part will probably be the hardest to handle, so code samples for that would be helpful to receive.
Links to info about Trojan Source:
The text was updated successfully, but these errors were encountered: