{"id":13646881,"url":"https://github.com/NebulousLabs/glyphcheck","last_synced_at":"2025-04-21T21:31:38.809Z","repository":{"id":39649429,"uuid":"88389053","full_name":"NebulousLabs/glyphcheck","owner":"NebulousLabs","description":"Detect malicious homoglyphs in Go source code","archived":false,"fork":false,"pushed_at":"2017-04-25T18:59:41.000Z","size":7,"stargazers_count":47,"open_issues_count":2,"forks_count":5,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-09T20:37:50.750Z","etag":null,"topics":["homoglyphs","pre-commit"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NebulousLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-16T03:39:40.000Z","updated_at":"2024-01-06T04:35:48.000Z","dependencies_parsed_at":"2022-09-22T17:11:58.732Z","dependency_job_id":null,"html_url":"https://github.com/NebulousLabs/glyphcheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NebulousLabs%2Fglyphcheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NebulousLabs%2Fglyphcheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NebulousLabs%2Fglyphcheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NebulousLabs%2Fglyphcheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NebulousLabs","download_url":"https://codeload.github.com/NebulousLabs/glyphcheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250136749,"owners_count":21380885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["homoglyphs","pre-commit"],"created_at":"2024-08-02T01:03:12.844Z","updated_at":"2025-04-21T21:31:38.592Z","avatar_url":"https://github.com/NebulousLabs.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"glyphcheck\n----------\n\n```\ngo get github.com/NebulousLabs/glyphcheck\n```\n\n`glyphcheck` checks for suspicious characters in Go source files.\n\nThe motivation for `glyphcheck` is to catch exploits that abuse Unicode\nlookalike characters, also known as \"homoglyphs\", to sneak malicious code past\na code review. For example:\n\n```go\nimport \"gitһub.com/spf13/cobra\"\n\nfunc main() {\n\tcmd := \u0026cobra.Command{\n\t\tUse: \"cmd\",\n\t\tRun: func(*cobra.Command, []string) {\n\t\t\tprintln(\"Hello!\")\n\t\t},\n\t}\n\tcmd.Execute()\n}\n```\n\nIf you are familiar with [cobra](https://github.com/spf13/cobra), you know\nthat this code will simply print `\"Hello!\"` to `os.Stderr`. Except this isn't\ncobra, it's an entirely different package. Go ahead and copy the import URL\ninto your browser and see where you wind up. Maybe your system's fonts make\nthis easy to detect -- but that isn't the case for everyone.\n\nThis attack can also be performed with variables, and is particularly\ninsidious when combined with variable shadowing:\n\n```go\nfunc writeFile(filename string, data []byte) error {\n\tf, err := os.Create(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\tif _, еrr := f.Write(data); err != nil {\n\t\treturn еrr\n\t}\n\treturn nil\n}\n```\n\nHere, `err` and `еrr` look identical, but are in fact different variables.\nOnly `err` is checked, so the call to `f.Write` can silently fail. This isn't\nmuch of an exploit, but creative minds can no doubt devise something more\ndangerous.\n\nSecurity-conscious projects should run `glyphcheck` on all code submitted for\nreview. This is easily accomplished by adding the following lines to your\n`.travis.yml` or `appveyor.yml`:\n\n```yaml\ninstall:\n  - glyphcheck ./...\n```\n\nSo far, `glyphcheck` has not turned up any malicious homoglyphs in any\npublically available Go code. If you detect such an attack, please let us\nknow!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNebulousLabs%2Fglyphcheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNebulousLabs%2Fglyphcheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNebulousLabs%2Fglyphcheck/lists"}