vulnerable against Trojan Source Attack #623
Comments
|
I think this is the wrong approach: I am more concerned about what Beanshell does with that script, do you have an example? If beanshell detects something strange it could except and inform the user about the problem. That should also suffice, do you agree? |
|
Well BeanShell does exactly what the Java Compiler would do (and that in itself is a good thing) - in the example given, it prints "You are ad admin" - which is sometihn that you would not expect to happen looking at the source - the interpreter just does not see the And thus - yes, informing the user about a possible problem is of course sufficient, too. My pull request was one way to do so - and the fastest for me because I had that component lying around. But i am aware of the slight skew here: introducing a heavy dependencie (in fact: several of them) just to mitigate a vulnerability sounds a little heavy-handed... |
|
I would see the BSH GUI as a non-productive environment. The simplest solution is probably to ignore LTR and similar control characters and show a placeholder(if needed more sophisticated text editors can be used) |
|
Agree with @ecki thank you for your input. Closed: editor not essential |
The atttack is outlined here: https://arxiv.org/abs/2111.00169
If one copies one of the examples into the Console, this happens:
The user does not see that there is a possible problem here.
There are many different mitigations for this to be seen in the wild - GitHub shows a message, some projects (intellij idea for example) simply show the problematic control characters as pseudo-glyphs...
I think BeanShell should also do something about it!
The text was updated successfully, but these errors were encountered: