Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lirantal/anti-trojan-source

Detect trojan source attacks that employ unicode bidi attacks to inject malicious code
https://github.com/lirantal/anti-trojan-source

Last synced: about 2 months ago
JSON representation

Detect trojan source attacks that employ unicode bidi attacks to inject malicious code

Host: GitHub
URL: https://github.com/lirantal/anti-trojan-source
Owner: lirantal
License: apache-2.0
Created: 2021-11-05T13:31:53.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2023-01-04T12:31:32.000Z (over 1 year ago)
Last Synced: 2024-04-24T13:27:49.143Z (5 months ago)
Language: JavaScript
Size: 1.53 MB
Stars: 42
Watchers: 3
Forks: 3
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md

Awesome Lists containing this project

awesome-nodejs-security - anti-trojan-source - Detect trojan source attacks that employ unicode bidi attacks to inject malicious code. (Security Hardening)

README

        


  anti-trojan-source





  Detect trojan source attacks that employ unicode bidi attacks to inject malicious code





  





  

  

  

  

  

  

  



# About

Detects cases of [trojan source attacks](https://trojansource.codes) that employ unicode bidi attacks to inject malicious code

If you're using ESLint:

* See: [eslint-plugin-anti-trojan-source](https://github.com/lirantal/eslint-plugin-anti-trojan-source) for a purpose-bulit plugin to detect anti-trojan characters.

* This plugin [inspired work](https://github.com/eslint-community/eslint-plugin-security/pull/95) to create an anti-trojan rule `detect-bidi-characters` in [eslint-plugin-security](https://github.com/eslint-community/eslint-plugin-security) and if you're already using that security plugin then it is advised to turn on that rule.

## Why is Trojan Source important?

The following publication on the topic of unicode characters attacks, dubbed [Trojan Source: Invisible Vulnerabilities](https://trojansource.codes/trojan-source.pdf), has caused a lot of concern from potential supply chain attacks where adversaries are able to inject malicious code into the source code of a project, slipping by unseen in the code review process.

For more information on the topic, you're welcome to read on the official website [trojansource.codes](https://trojansource.codes/) and the following [source code repository](https://github.com/nickboucher/trojan-source/) which contains the source code of the publication.

---

Table of Contents

- [Use as a CLI](#use-as-a-cli)

  - [Detect Trojan Source attacks using file globbing](#detect-trojan-source-attacks-using-file-globbing)

  - [Detect Trojan Source attacks using file paths](#detect-trojan-source-attacks-using-file-paths)

  - [Detect Trojan Source attacks by piping input](#detect-trojan-source-attacks-by-piping-input)

- [Use as an eslint plugin](#use-as-an-eslint-plugin)

- [Use as a library](#use-as-a-library)

---

# Use as a CLI

`anti-trojan-source` is an npm package that supports detecting files that contain bidirectional unicode characters in them, per the research.

## Detect Trojan Source attacks using file globbing

The following command will detect all files that contain bidirectional unicode characters in them based on the file matching pattern that was provided to it:

```bash

npx anti-trojan-source --files='src/**/*.js'

```

If it doesn't find anything it will return with a 0 exit code and print to stdout:

```

[✓] No case of trojan source detected

```

## Detect Trojan Source attacks using file paths

```bash

npx anti-trojan-source '/src/index.js' '/src/helper.js'

```

If it found any matching bidi unicode characters, it will return with an exit code of 1 and print to stderr:

```

[x] Detected cases of trojan source in the following files:

|

 - /src/index.js

 - /src/helper.js

```

## Detect Trojan Source attacks by piping input

If you just run `npx anti-trojan-source` and pipe in a file contents, it will detect the bidi unicode characters in that file:

```bash

cat /src/index.js | npx anti-trojan-source

```

# Use as an eslint plugin

Refer to the ESLint Plugin for this CLI and the README on that repository which clearly explains how to set it up: [eslint-plugin-anti-trojan-source](https://github.com/lirantal/eslint-plugin-anti-trojan-source).

# Use as a library

To use it as a library and pass it file contents to detect:

```js

import { hasTrojanSource } from 'anti-trojan-source'

const isDangerous = hasTrojanSource({

  sourceText: 'if (accessLevel != "user‮ ⁦// Check if admin⁩ ⁦") {'

})

```

`hasTrojanSource` returns a boolean.

# Use as a pre-commit hook

To add this tool to your project as a [`pre-commit`](https://pre-commit.com) hook, try this sample configuration in `.pre-commit-config.yaml`:

```yaml

repos:

  - repo: https://github.com/lirantal/anti-trojan-source

    rev: v1.3.3  # choose the release you want

    hooks:

      - id: anti-trojan-source

```

# Contributing

Please consult [CONTRIBUTING](./CONTRIBUTING.md) for guidelines on contributing to this project.

# Author

**anti-trojan-source** © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License.