[ovs-dev] [PATCH v3] checkpatch: Detect "trojan source" attack

Ilya Maximets i.maximets at ovn.org
Mon Nov 29 23:17:20 UTC 2021

On 11/22/21 17:06, Gaëtan Rivet wrote:
> On Thu, Nov 18, 2021, at 16:45, Mike Pattrick wrote:
>> Recently there has been a lot of press about the "trojan source" attack,
>> where Unicode characters are used to obfuscate the true functionality of
>> code. This attack didn't effect OVS, but adding the check here will help
>> guard against it sneaking in later.
>> Signed-off-by: Mike Pattrick <mkp at redhat.com>
>> ---
>> Changes in v2:
>>    - Now all unicode characters will result in an error.
>> Changes in v3:
>>    - Added a test to validate behavior
>> Signed-off-by: Mike Pattrick <mkp at redhat.com>
> Hello Mike,
> Thanks for the test, it's useful.
> I think the regex pattern might have expressed its intent
> in a clearer way[1], but this is really a nit. I'm not even
> fully convinced the alternative reads better, it's just that
> the intent of 'covering all printable ascii' is understood only
> by knowing the ascii values of ' ' and '~'.
> But this is a nit, and the intent is conveyed by the variable name
> anyway.
> Acked-by: Gaetan Rivet <grive at u256.net>
> [1]: by replacing '[^ -~\t]' by '[^\u0020-\u007e\t]',
> or even '[^\u0000-\u007f]' for a strict/dumb 'non-ascii' definition.

I'd vote for '[^\u0000-\u007f]' if that works.  It's much easier to read
than '[^ -~\t]'.  Or even '[^\x00-\x7f]', if possible.

Best regards, Ilya Maximets.

More information about the dev mailing list