Detecting Malicious Unicode in Source Code and Pull Requests

Patrick · October 19, 2023, 4:24pm

avoid unicode in source code if reasonably avoidable

opened 04:23PM - 19 Oct 23 UTC

Why? Security. References: https://www.kicksecure.com/wiki/Unicode (written …by me) https://trojansource.codes/ For `config` that is trivial and probably even non-controversial. Created https://github.com/grml/grml-debootstrap/pull/218 for it. In the `config` the unicode seemed to be a bug and not useful at all. The only other file with unicode is `debian/changelog`. grep -P -n '[^[:ascii:]]' debian/changelog ``` 21: The "¡hola bookworm!" release 80: * [457e3e4] config: Replace em dash — by `--` for switch in comment 148: [ Antoine Beaupré ] 444: The "monster kill ▬█████████" release 527: The "jessie partyyyyyy ♫♫♫" release 563: The "[✔] ready for jessie" release 631: The "happy easter ＼(◎o◎)／" release 1365: Thanks for the patch, Alexander 'Stone' Steinböck! ``` But these are not as non-controversial to remove. Butchering real names is probably unwanted. And maybe less important because it's a textual file. Not code that is being interpreted.

Patrick · October 19, 2023, 4:57pm

buster · October 20, 2023, 8:12pm

GUYS thank you, this is fire