Skip to content

ESLint plugin to detect and stop Trojan Source attacks

License

Notifications You must be signed in to change notification settings

lirantal/eslint-plugin-anti-trojan-source

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

eslint-plugin-anti-trojan-source

ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase

npm version license downloads build Known Vulnerabilities Responsible Disclosure Policy

About

ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.

If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.

This ESLint plugin is based on the library and command-line tool anti-trojan-source.

👋 Jan 2023 Update: This plugin inspired work to create an anti-trojan rule detect-bidi-characters in eslint-plugin-security and if you're already using that security plugin then it is advised to turn on that rule.

Install

npm install --save-dev eslint-plugin-anti-trojan-source

Usage

Once you've installed this plugin, add it to your eslint configuration as follows.

Recommended

This plugin exports a recommended configuration. To enable this configuration, extend it in the configuration for your project.

{
  "extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}

Manual

First, you need to define it as a plugin:

Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.

{
  "plugins": ["anti-trojan-source"]
}

Then, add an ESLint rule that halts if it finds a Trojan Source attack:

"rules": {
    "anti-trojan-source/no-bidi": "error"
}

Following is a complete example of configuration if you are defining ESLint configuration in your package.json file:

"eslintConfig": {
    "plugins": [
        "anti-trojan-source"
    ],
    "rules": {
        "anti-trojan-source/no-bidi": "error"
    }
}

Example output

The following is an example output when the plugin finds a Trojan Source attack in your codebase:

/Users/lirantal/projects/repos/@gigsboat/cli/index.js
  1:1  error  Detected potential trojan source attack with unicode bidi introduced in this comment: '‮ } ⁦if (isAdmin)⁩ ⁦ begin admins only '  anti-trojan-source/no-bidi
  1:1  error  Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only ‮ { ⁦'                    anti-trojan-source/no-bidi

/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
  2:1  error  Detected potential trojan source attack with unicode bidi introduced in this code: '"user‮ ⁦// Check if admin⁩ ⁦"'  anti-trojan-source/no-bidi

Author

eslint-plugin-anti-trojan-source © Liran Tal, Released under the Apache-2.0 License.