Detecting Malicious Unicode in Source Code and Pull Requests

Development
2

Great, invisible characters that can do malicious stuff. That’s what security computer needs. (sarcasm)

Thanks for the report! Good stuff.

To make future automated checks easier, just now removed all unicode from Whonix…

…except from binary files.

Used the following grep command (based on this answer) to grep all of Kicksecure and Whonix source code:

grep --exclude=changelog.upstream --exclude-dir=.git --binary-files=without-match --recursive --color='auto' -P -n '[^\x00-\x7F]'

  • --exclude=changelog.upstream

    • because this file is auto generated and its contents aren’t processed by compilers or script interpreters.

  • --exclude-dir=.git

    • once in the git history, it stays there and files in that folder shouldn’t be manually edited.

  • --binary-files=without-match

    • Otherwise matches binary files such as images, binary files in monero-gui, gpg keys. Full list: [1]

Useful to append go grep command:

  • -l

    • to show file names only

Related:

[1]

packages/whonix/anon-ws-disable-stacked-tor/usr/share/anon-ws-disable-stacked-tor/control.authcookie
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-duck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-newspaper.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-archive.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-support.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-yacy.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-metager.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-doc.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-donate.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/whonix-logo-text.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-qwant.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-forum.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-ecosia.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/search-peekier.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-telegram.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-ipcheck.png
packages/whonix/whonix-welcome-page/usr/share/doc/homepage/whonix-welcome-page/img/symbol-contribute.png
packages/whonix/kloak/figures/train-normal_test-kloak.png
packages/whonix/kloak/figures/train-kloak_test-kloak.png
packages/whonix/kloak/figures/train-normal_test-normal.png
packages/whonix/kloak/figures/kloak.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A9A.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/62AF65BB.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA495.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/6C3FA497.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/D79A8A96.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/SVG/A04EE252.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_WordPress_Banner.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Banner_600x321.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Dark.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Profile_Light.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Portal.jpg
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Cover.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Banners.ai
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Twitter_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icon-pack-dist/whonix_banners/Whonix_Facebook_Social_Share.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/torbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/contribute.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/donate.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/mailinglist.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/important.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/nerolinux.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/readme.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/secbrowser.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonix.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/timesync.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/importantblog.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/featureblog.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/advancedsettings.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/chat.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/tbupdate.ico
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/whonixlock.png
packages/kicksecure/icon-pack-dist/usr/share/icons/icon-pack-dist/firewall.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/refresh.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion64.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/help.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/stop.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/prev.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/restart.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette2.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/back_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/tools.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/onion.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/Exit.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/accept_icon.png
packages/kicksecure/tor-control-panel/usr/share/tor-control-panel/silhouette1.png
packages/kicksecure/anon-connection-wizard/usr/share/anon-connection-wizard/advancedsettings.ico
packages/kicksecure/live-config-dist/usr/share/pixmaps/install-host.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/welcome.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/slide1.png
packages/kicksecure/live-config-dist/etc/calamares/branding/Whonix-Host/whonix-logo.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-success.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/restart-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/application-exit.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-warning.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/stop-sdwdate.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-log.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-wait.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/sdwdate-stopped.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-ok.png
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/advancedsettings.ico
packages/kicksecure/sdwdate-gui/usr/share/sdwdate-gui/icons/tor-error.png
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-ancestry
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-usage
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-mark-spent-outputs
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-export
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-import
packages/kicksecure/monero-gui/usr/bin/monero-wallet-gui
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-depth
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune
packages/kicksecure/monero-gui/usr/bin/monero-wallet-cli
packages/kicksecure/monero-gui/usr/bin/monerod
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-stats
packages/kicksecure/monero-gui/usr/bin/monero-blockchain-prune-known-spent-data
packages/kicksecure/monero-gui/usr/bin/monero-gen-ssl-cert
packages/kicksecure/monero-gui/usr/bin/monero-wallet-rpc
packages/kicksecure/monero-gui/usr/bin/monero-gen-trusted-multisig
packages/kicksecure/monero-gui/usr/share/doc/monero-gui/monero-gui-wallet-guide.pdf
packages/kicksecure/monero-gui/usr/share/pixmaps/monero.png
packages/kicksecure/gpg-bash-lib/usr/share/gpg-bash-lib/misc/gpg-test-pub-key.d/pubring.gpg
3 Likes