[ovs-dev] [PATCH v3] checkpatch: Detect "trojan source" attack

Gaëtan Rivet grive at u256.net
Mon Nov 22 16:06:26 UTC 2021

On Thu, Nov 18, 2021, at 16:45, Mike Pattrick wrote:
> Recently there has been a lot of press about the "trojan source" attack,
> where Unicode characters are used to obfuscate the true functionality of
> code. This attack didn't effect OVS, but adding the check here will help
> guard against it sneaking in later.
> Signed-off-by: Mike Pattrick <mkp at redhat.com>
> ---
> Changes in v2:
>    - Now all unicode characters will result in an error.
> Changes in v3:
>    - Added a test to validate behavior
> Signed-off-by: Mike Pattrick <mkp at redhat.com>

Hello Mike,

Thanks for the test, it's useful.
I think the regex pattern might have expressed its intent
in a clearer way[1], but this is really a nit. I'm not even
fully convinced the alternative reads better, it's just that
the intent of 'covering all printable ascii' is understood only
by knowing the ascii values of ' ' and '~'.

But this is a nit, and the intent is conveyed by the variable name

Acked-by: Gaetan Rivet <grive at u256.net>

[1]: by replacing '[^ -~\t]' by '[^\u0020-\u007e\t]',
or even '[^\u0000-\u007f]' for a strict/dumb 'non-ascii' definition.

Best regards,
Gaetan Rivet

More information about the dev mailing list