Re: [ovs-dev] [PATCH v4] checkpatch: Detect "trojan source" attack

Tue, 04 Jan 2022 10:13:00 -0800 

On 11/30/21 17:20, Mike Pattrick wrote:
> Recently there has been a lot of press about the "trojan source" attack,
> where Unicode characters are used to obfuscate the true functionality of
> code. This attack didn't effect OVS, but adding the check here will help
> guard against it sneaking in later.
> 
> Signed-off-by: Mike Pattrick <m...@redhat.com>
> ---
> Changes in v2:
>    - Now all unicode characters will result in an error.
> 
> Changes in v3:
>    - Added a test to validate behavior
> 
> Changes in v4:
>    - Simplified regex
> 
> ---
>  tests/checkpatch.at     | 22 ++++++++++++++++++++++
>  utilities/checkpatch.py | 11 +++++++++++
>  2 files changed, 33 insertions(+)

Some weird stuff is going on here.  On one of my systems (rhel 8.5)
I'm getting a consistent test failure.  The reason for that appears
to be a different default locale used while executing checkpatch.py
from a testsuite.  If checkpatch.py is invoked by hands, the
locale.getpreferredencoding() returns 'UTF-8', but if invoked from
a testsuite, I'm getting 'ANSI_X3.4-1968' instead.

This impacts the file read, since open() by default uses the
locale.getpreferredencoding() encoding, so email.message_from_file()
fails to read the file with unicode symbols and throws an exception
resulting with the following error:

  ERROR: Unable to parse file 'test.patch'. Is it a patch?

That fails the unit test.
I am not sure why the default locale is different while running
under the testsuite on this system.  The following change seems
to fix the problem:

diff --git a/utilities/checkpatch.py b/utilities/checkpatch.py
index 395d0fcde..8c7faa419 100755
--- a/utilities/checkpatch.py
+++ b/utilities/checkpatch.py
@@ -954,7 +954,7 @@ def ovs_checkpatch_print_result():
 
 def ovs_checkpatch_file(filename):
     try:
-        mail = email.message_from_file(open(filename, 'r'))
+        mail = email.message_from_file(open(filename, 'r', encoding='utf8'))
     except:
         print_error("Unable to parse file '%s'. Is it a patch?" % filename)
         return -1
---

If that looks good to you, I can fold the change in before applying
the patch.

What do you think?

Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to