I have seen this come up recently: https://trojansource.codes

I was like: What a nifty trick! LOVE IT!

But then I started reading headlines in different **#cybersecurity** outlets, framing it as a threat to security of all code (https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/)…

I rarely do this, but I have to calm people down on this one: This vulnerability is super easy to detect in any open source project. Let me give you a simple command that detects the bidi characters in all examples inside https://github.com/nickboucher/trojan-source:

grep -rE $'(u2066|u2067|u2068|u202A|u202B|u202D|u202E|u202C|u2069|u200E|u200F|u061C|u2066|u2067|u2068)’

That’s it. You can put that directly into your pipeline, and in fact the researchers gave everyone 90 days time to address it. So you can even see warnings inside GitHub if you still do just manual review.

I do not see this as a serious, long lasting issue. As much as there are people out there trying to compromise open source projects, as many people are there to get glory by finding issues… And this is a low-hanging fruit that can be quickly detected. Hence, I am relaxed.

**#cybersecurity** **#devops** **#trojanSource** **#cloudComputing** **#pipeline**

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.