I have seen this come up recently: https://trojansource.codes
I was like: What a nifty trick! LOVE IT!
But then I started reading headlines in different **#cybersecurity** outlets, framing it as a threat to security of all code (https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)…
I rarely do this, but I have to calm people down on this one: This vulnerability is super easy to detect in any open source project. Let me give you a simple command that detects the bidi characters in all examples inside https://github.com/nickboucher/trojan-source:
grep -rE $'(u2066|u2067|u2068|u202A|u202B|u202D|u202E|u202C|u2069|u200E|u200F|u061C|u2066|u2067|u2068)’
That’s it. You can put that directly into your pipeline, and in fact the researchers gave everyone 90 days time to address it. So you can even see warnings inside GitHub if you still do just manual review.
I do not see this as a serious, long lasting issue. As much as there are people out there trying to compromise open source projects, as many people are there to get glory by finding issues… And this is a low-hanging fruit that can be quickly detected. Hence, I am relaxed.
**#cybersecurity** **#devops** **#trojanSource** **#cloudComputing** **#pipeline**