Detect malicious homoglyphs in Go source code
Go
Switch branches/tags
Nothing to show
Clone or download
Latest commit f6483dd Apr 25, 2017
Permalink
Failed to load latest commit information.
testdata add test files Apr 17, 2017
LICENSE add LICENSE and README Apr 16, 2017
README.md fix README typo Apr 18, 2017
main.go initial commit Apr 16, 2017
main_test.go add test files Apr 17, 2017

README.md

glyphcheck

go get github.com/NebulousLabs/glyphcheck

glyphcheck checks for suspicious characters in Go source files.

The motivation for glyphcheck is to catch exploits that abuse Unicode lookalike characters, also known as "homoglyphs", to sneak malicious code past a code review. For example:

import "gitһub.com/spf13/cobra"

func main() {
	cmd := &cobra.Command{
		Use: "cmd",
		Run: func(*cobra.Command, []string) {
			println("Hello!")
		},
	}
	cmd.Execute()
}

If you are familiar with cobra, you know that this code will simply print "Hello!" to os.Stderr. Except this isn't cobra, it's an entirely different package. Go ahead and copy the import URL into your browser and see where you wind up. Maybe your system's fonts make this easy to detect -- but that isn't the case for everyone.

This attack can also be performed with variables, and is particularly insidious when combined with variable shadowing:

func writeFile(filename string, data []byte) error {
	f, err := os.Create(filename)
	if err != nil {
		return err
	}
	defer f.Close()
	if _, еrr := f.Write(data); err != nil {
		return еrr
	}
	return nil
}

Here, err and еrr look identical, but are in fact different variables. Only err is checked, so the call to f.Write can silently fail. This isn't much of an exploit, but creative minds can no doubt devise something more dangerous.

Security-conscious projects should run glyphcheck on all code submitted for review. This is easily accomplished by adding the following lines to your .travis.yml or appveyor.yml:

install:
  - glyphcheck ./...

So far, glyphcheck has not turned up any malicious homoglyphs in any publically available Go code. If you detect such an attack, please let us know!