{"id":13525288,"url":"https://github.com/lirantal/anti-trojan-source","last_synced_at":"2025-04-09T14:10:18.794Z","repository":{"id":37975095,"uuid":"424958916","full_name":"lirantal/anti-trojan-source","owner":"lirantal","description":"Detect trojan source attacks that employ unicode bidi attacks to inject malicious code","archived":false,"fork":false,"pushed_at":"2023-01-04T12:31:32.000Z","size":1600,"stargazers_count":42,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-04-24T13:27:49.143Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lirantal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2021-11-05T13:31:53.000Z","updated_at":"2023-09-08T18:28:17.000Z","dependencies_parsed_at":"2023-02-02T12:15:57.151Z","dependency_job_id":null,"html_url":"https://github.com/lirantal/anti-trojan-source","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fanti-trojan-source","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fanti-trojan-source/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fanti-trojan-source/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lirantal%2Fanti-trojan-source/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lirantal","download_url":"https://codeload.github.com/lirantal/anti-trojan-source/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248054194,"owners_count":21039952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:01:17.433Z","updated_at":"2025-04-09T14:10:18.772Z","avatar_url":"https://github.com/lirantal.png","language":"JavaScript","funding_links":[],"categories":["Security Hardening","JavaScript"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003ch1 align=\"center\"\u003e\n  anti-trojan-source\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  Detect trojan source attacks that employ unicode bidi attacks to inject malicious code\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/lirantal/anti-trojan-source/raw/main/.github/anti-trojan-source-logo.png\" height=\"220\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.org/package/anti-trojan-source\"\u003e\u003cimg src=\"https://badgen.net/npm/v/anti-trojan-source\" alt=\"npm version\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.org/package/anti-trojan-source\"\u003e\u003cimg src=\"https://badgen.net/npm/license/anti-trojan-source\" alt=\"license\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.org/package/anti-trojan-source\"\u003e\u003cimg src=\"https://badgen.net/npm/dt/anti-trojan-source\" alt=\"downloads\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/lirantal/anti-trojan-source/actions?workflow=CI\"\u003e\u003cimg src=\"https://github.com/lirantal/anti-trojan-source/workflows/CI/badge.svg\" alt=\"build\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://codecov.io/gh/lirantal/anti-trojan-source\"\u003e\u003cimg src=\"https://badgen.net/codecov/c/github/lirantal/anti-trojan-source\" alt=\"codecov\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://snyk.io/test/github/lirantal/anti-trojan-source\"\u003e\u003cimg src=\"https://snyk.io/test/github/lirantal/anti-trojan-source/badge.svg\" alt=\"Known Vulnerabilities\"/\u003e\u003c/a\u003e\n  \u003ca href=\"./SECURITY.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg\" alt=\"Responsible Disclosure Policy\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# About\n\nDetects cases of [trojan source attacks](https://trojansource.codes) that employ unicode bidi attacks to inject malicious code\n\nIf you're using ESLint:\n* See: [eslint-plugin-anti-trojan-source](https://github.com/lirantal/eslint-plugin-anti-trojan-source) for a purpose-bulit plugin to detect anti-trojan characters.\n* This plugin [inspired work](https://github.com/eslint-community/eslint-plugin-security/pull/95) to create an anti-trojan rule `detect-bidi-characters` in [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) and if you're already using that security plugin then it is advised to turn on that rule.\n\n## Why is Trojan Source important?\n\nThe following publication on the topic of unicode characters attacks, dubbed [Trojan Source: Invisible Vulnerabilities](https://trojansource.codes/trojan-source.pdf), has caused a lot of concern from potential supply chain attacks where adversaries are able to inject malicious code into the source code of a project, slipping by unseen in the code review process.\n\nFor more information on the topic, you're welcome to read on the official website [trojansource.codes](https://trojansource.codes/) and the following [source code repository](https://github.com/nickboucher/trojan-source/) which contains the source code of the publication.\n\n---\n\nTable of Contents\n\n- [Use as a CLI](#use-as-a-cli)\n  - [Detect Trojan Source attacks using file globbing](#detect-trojan-source-attacks-using-file-globbing)\n  - [Detect Trojan Source attacks using file paths](#detect-trojan-source-attacks-using-file-paths)\n  - [Detect Trojan Source attacks by piping input](#detect-trojan-source-attacks-by-piping-input)\n- [Use as an eslint plugin](#use-as-an-eslint-plugin)\n- [Use as a library](#use-as-a-library)\n\n---\n\n# Use as a CLI\n\n`anti-trojan-source` is an npm package that supports detecting files that contain bidirectional unicode characters in them, per the research.\n\n## Detect Trojan Source attacks using file globbing\n\nThe following command will detect all files that contain bidirectional unicode characters in them based on the file matching pattern that was provided to it:\n\n```bash\nnpx anti-trojan-source --files='src/**/*.js'\n```\n\nIf it doesn't find anything it will return with a 0 exit code and print to stdout:\n\n```\n[✓] No case of trojan source detected\n```\n\n## Detect Trojan Source attacks using file paths\n\n```bash\nnpx anti-trojan-source '/src/index.js' '/src/helper.js'\n```\n\nIf it found any matching bidi unicode characters, it will return with an exit code of 1 and print to stderr:\n\n```\n[x] Detected cases of trojan source in the following files:\n|\n - /src/index.js\n - /src/helper.js\n```\n\n## Detect Trojan Source attacks by piping input\n\nIf you just run `npx anti-trojan-source` and pipe in a file contents, it will detect the bidi unicode characters in that file:\n\n```bash\ncat /src/index.js | npx anti-trojan-source\n```\n\n# Use as an eslint plugin\n\nRefer to the ESLint Plugin for this CLI and the README on that repository which clearly explains how to set it up: [eslint-plugin-anti-trojan-source](https://github.com/lirantal/eslint-plugin-anti-trojan-source).\n\n# Use as a library\n\nTo use it as a library and pass it file contents to detect:\n\n```js\nimport { hasTrojanSource } from 'anti-trojan-source'\nconst isDangerous = hasTrojanSource({\n  sourceText: 'if (accessLevel != \"user‮ ⁦// Check if admin⁩ ⁦\") {'\n})\n```\n\n`hasTrojanSource` returns a boolean.\n\n# Use as a pre-commit hook\n\nTo add this tool to your project as a [`pre-commit`](https://pre-commit.com) hook, try this sample configuration in `.pre-commit-config.yaml`:\n\n```yaml\nrepos:\n  - repo: https://github.com/lirantal/anti-trojan-source\n    rev: v1.3.3  # choose the release you want\n    hooks:\n      - id: anti-trojan-source\n```\n\n# Contributing\n\nPlease consult [CONTRIBUTING](./CONTRIBUTING.md) for guidelines on contributing to this project.\n\n# Author\n\n**anti-trojan-source** © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Fanti-trojan-source","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flirantal%2Fanti-trojan-source","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flirantal%2Fanti-trojan-source/lists"}