Highlight Unicode BIDI characters as Security Hotspot

cba · November 1, 2021, 6:09pm

As reported today, there is a vulnerability when using Unicode characters that allows a malicious actor to disguise source code in the eyes of the programmer, by using Unicode BIDI characters. This was published today as the “Trojan Source” bug affecting virtually all development environments and compilers.

The research paper is available here: https://www.trojansource.codes/trojan-source.pdf
And a summary by Krebs on Security is here: ‘Trojan Source’ Bug Threatens the Security of All Code – Krebs on Security

It should be an easy thing for SonarQube to scan for those characters in Unicode files, and flag them as a (Critical?) Security Hotspot.

Hendrik_Buchwald · November 2, 2021, 8:34am

Hi Chris and welcome to the community! Thanks for the suggestion, we will have a look.

chrism · November 4, 2021, 9:56pm

@Hendrik_Buchwald Any update on this one? I would love to be able to say we can scan for this vulnerability

Catalina_Barbat · November 25, 2021, 2:51pm

Any answer/solution please?

Alexandre_Gigleux · November 26, 2021, 7:41am

Hello,

SonarSource would like to detect such problem and we are getting organized to be able to deliver this feature ASAP. The related item in our Productboard Portal is SonarSource products detect Unicode BIDI characters to prevent Trojan Source Attacks - SonarQube | Product Roadmap and I hope we will be able to deliver this for SonarQube 9.3

Alex

Prokke · November 26, 2021, 9:36am

Will there be an update for 8.9LTS?

Hendrik_Buchwald · November 29, 2021, 12:41pm

The idea of the LTS is to not provide new features but only fix critical bugs. So this feature will not be part of 8.9 LTS, no. For people that want the latest features, we recommend using the latest version instead of LTS.