Mirror of forum.nim-lang.org

8576 :: Nim's version of the Trojan Source vulnerability

• benob (orginal) [2021-11-01T15:05:33+01:00] view original

  As described in https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

  let access_level = "user"
  
  if access_level != "user‮⁦# check if admin⁩ ⁦":
    echo "you are admin"
  else:
    echo "you are peon"
  Run

  Copy-paste the above code in a unicode-conformant editor, and run it. Chances are that it will tell you that you are an admin.

  I tested visual code and gedit to be affected, vim at least shows some garbage.

---

• DeletedUser (orginal) [2021-11-01T15:37:42+01:00] view original

  Most people would use an enum for this. If not, you would individually cover the case of the string being "admin" and all other possible values instead of assuming an invalid value to be admin. I would also expect editors like VS code to already highlight invisible characters. Either way though, I don't see a problem with warning for invisible characters natively, even in strings with RTL text, but I don't think it's that urgent as a security measure.

---

• benob (orginal) [2021-11-01T15:57:08+01:00] view original

  There is a more practical example in this go issue: https://github.com/golang/go/issues/20209

---

• Araq (orginal) [2021-11-01T17:58:54+01:00] view original

  User data plus login information usually lives in a database, not in Nim source code...

---

• robb1e (orginal) [2021-11-01T18:27:02+01:00] view original

  nice joke

---

• planetis (orginal) [2021-11-01T19:08:25+01:00] view original

  From the other hand, I find the if condition a joke.

---

• xigoi (orginal) [2021-11-01T19:37:02+01:00] view original

  This is a problem with editors, not languages.

---

• dwin (orginal) [2021-11-01T19:55:06+01:00] view original

  Unicode use for social engineering has been long known issue with various software. Now they have given it a cool name and logo. This is a problem for code review tools and editors to consider.

---

• kobi (orginal) [2021-11-01T20:20:11+01:00] view original

  perhaps vscode (or the plugin) should show these invisible characters. otoh, i don't think it's a priority for Nim.

---

• dom96 (orginal) [2021-11-01T20:38:54+01:00] view original

  while not a priority, I think this could be a nice easy/hacktoberfest-esque task for someone to implement detection of this in the Nim compiler :)

---

• demotomohiro (orginal) [2021-11-02T00:55:25+01:00] view original

  My Neovim displayed that code like if access_level != "user<202e> # check if admin⁩ ⁦":.

  But my Neovim doesn't show any garbage charactor in this code:

  proc runBadCode() =
    when defined(windows):
      echo "format c:"
    else:
      echo "sudo dd of=/dev/sda1 if=/dev/urandom"
  
  proc echo　(x: varargs[string, `$`]) =
    echo x
    runBadCode()
  
  proc еchо(x: varargs[string, `$`]) =
    # https://en.wikipedia.org/wiki/Cyrillic_script
    echo x
    runBadCode()
  
  proc ｒ(x: static string): string =
    # https://en.wikipedia.org/wiki/Halfwidth_and_fullwidth_forms
    runBadCode()
    x
  
  proc ‐(x: int): int =
    runBadCode()
    -x
  
  proc n(x: int): int = 7 + x
  
  
  echo  "Hello"
  echo　"Initializing ..."
  
  еchо("Loading ...")
  
  echo "Show windows path: ", r"c:\Program Files", ", ", ｒ"c:\windows\system"
  
  echo n ‐ 1
  Run

  https://play.nim-lang.org/#ix=3DEA

---

• benob (orginal) [2021-11-02T11:51:12+01:00] view original

  The more I look at this issue, the more I understand why it can't be solved at the language level (other than disallowing non-ascii characters). The levels of obfuscation you can reach with unicode identifiers are just silly.

  https://github.com/codebox/homoglyph/blob/master/raw_data/chars.txt

---

• kobi (orginal) [2021-11-02T13:56:46+01:00] view original

  Perhaps it can be solved with the type system, like you said, an ascii string, and a utf8 string. Maybe this explicitness is actually a good thing. be explicit when reading a file, specify the expected text encoding, exception if a char (or rune) failed to validate. the string in memory is now known to the developer, so ascii search in a unicode string, that could leave the developer head-scratching, will simply not work. Of course it could be a major language change. and not sure elegant from the language's author design point of view. But correct me if I'm wrong about the encoding assumption.

---

• ElegantBeef (orginal) [2021-11-03T04:47:14+01:00] view original

  Of course the type system can ensure this, tainted string was sort of in the same vein. You have a distinct string that you use when you dont trust the source you got a string from, then filter it when you need to do operations, a super brief(probably dumbly implemented version) is as follows:

  import std/[unicode, strformat]
  type
    AsciiStr = distinct string
    UnicodeStr = distinct string
    SomeString = string or ASciiStr or UniCodeStr
  
  proc `$`(s: AsciiStr): string {.borrow.}
  proc `$`(s: UnicodeStr): string {.borrow.}
  
  proc isAscii(s: string): bool =
    result = true
    for x in runes(s):
      if x.size != 1:
        result = false
        break
  
  proc aStr(s: string): AsciiStr =
    assert s.isAscii, fmt"String contains non ascii characters."
    result = AsciiStr(s)
  
  const admin = astr"admin"
  static: echo admin
  const  user = astr"user‮⁦"
  Run

---

• kobi (orginal) [2021-12-09T11:03:56+01:00] view original

  so, I was reading today that the dart language solves this issue in this way: The compiler issues a warning about any such invisible characters in a literal string. https://github.com/dart-lang/sdk/security/advisories/GHSA-8pcp-6qc9-rqmv

---