On Mon, Nov 15, 2021 at 10:43:12PM +1100, Chris Angelico wrote: > The problems here are not Python's, they are code reviewers', and that > means they're really attacks against the code review tools.
I think that's a bit strong. Boucher and Anderson's paper describes multiple kinds of vulnerabilities. At a fairly quick glance, the BIDI attacks does seem to be a novel attack, and probably exploitable. But unfortunately it seems to be the Unicode confusables or homoglyph attack that seems to be getting most of the attention, and that's not new, it is as old as ASCII, and not so easily exploitable. Being able to have А (Cyrillic) Α (Greek alpha) and A (Latin) in the same code base makes for a nice way to write obfuscated code, but it's *obviously* obfuscated and not so easy to smuggle in hostile code. Whereas the BIDI attacks do (apparently) make it easy to smuggle in code: using invisible BIDI control codes, you can introduce source code where the way the editor renders the code, and the way the coder reads it, is different from the way the interpreter or compiler runs it. That is, I think, new and exploitable: something that looks like a comment is actually code that the interpreter runs, and something that looks like code is actually a string or comment which is not executed, but editors may syntax-colour it as if it were code. Obviously we can mitigate against this by improving the editors (at the very least, all editors should have a Show Invisible Characters option). Linters and code checks should also flag problematic code containing BIDI codes, or attacks against docstrings. Beyond that, it is not clear to me what, if anything, we should do in response to this new class of Trojan Source attacks, beyond documenting it. -- Steve _______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/SXF2BG47UZTI7QM7GB3XCTGEV576UZOE/ Code of Conduct: http://python.org/psf/codeofconduct/
