As mentioned within T295291, trojansource.codes is a thing. Github has a CI-ish checker that looks for problematic bidirectional unicode characters and warns on them. I'm not seeing where that's been open-sourced anywhere, but it shouldn't be too difficult to write our own python script or whatever to do something similar. Not sure if this should outright fail a pipeline test but that might be our only option in Gitlab CE? Perhaps a starting point.
Description
Description
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | sbassett | T289290 Design and Build Application Security Pipeline Components for Gitlab | |||
| Resolved | brennen | T289292 Create Security Team group within gitlab.wikimedia.org | |||
| Resolved | sbassett | T289293 Create initial proof of concept application security pipeline repository | |||
| Resolved | sbassett | T295333 Create a simple tool to check for bidirectional unicode characters |
Event Timeline
Comment Actions
Heh, semgrep has a rule for this now: https://semgrep.dev/r?q=generic.unicode.security.bidi.contains-bidirectional-characters. Probably makes sense to just leverage that.
Comment Actions
Per previous, we'll just use the semgrep rule as one of our default policies/rules for the semgrep appsec ci yaml template.
Update: we're actually using semgrep's p/supply-chain policy, which has the above bidi rule as its only, current rule.
Comment Actions
Update: we likely can't use p/supply-chain at this time due to potential licensing issues: T304737