According to a recent research by Cambridge University's Nicholas Boucher and Ross Anderson, there are two vulnerabilities that impact most code co...
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
If you set the format of that last code block to
bib, the syntax highlighting will actually work ;)Thank you! I didn't know, it's already changed
Great article!
I recommend reading Russ Cox's post:
research.swtch.com/trojan
This is not new, its not specific to RTL LTR, and its also not something that should be "fixed" by compilers or language specs but rather by developer tools (like the one that you created). Stackoverflow should reject code that contains these characters.
In this 3 year old Go issue about the LTR / RTL vulnerability, one of the authors of UTF-8 (Rob Pike) voices the same opinion about putting fixes into programming languages / compilers:
github.com/golang/go/issues/20209#...
Thank you for the article and your comment, you are right and I find it very interesting.
Thanks for the contribution!
Not the main reason, but one of the reasons I use Gremlins in VSCode: marketplace.visualstudio.com/items...
As you see in my screenshot, with this extension, my VSCode will detect the invisible chars.
dev-to-uploads.s3.amazonaws.com/up...
Mainly I need that, because I accidentally hit cmd + space when I'm typing fast, which results in a space that looks like a normal space, but is a non-ASCII char that can break code.
Other than that, I hope you will never use a negative check like
access_level != "user"for real, since that will lead to side effects, once you have more access levels next to"admin"and"user"or any form of typos. Always make the check explicit:access_level == "admin".Thanks for discovering Gremlins, I liked it!
Regarding using the negative, yes, I wouldn't use it either but that was the example of the official article and the github repo, I just based on it.
Regards!
It would be very easy to do, would you like to make a pullrequest with this change?
Just remove the break; when a character is found, and calculate the line based on: 1. last line index, 2. current character since last line.
"What if it has already happened to us?" You do have unit tests, don't you?
Yes, but not all projects for example in some startups have complex unit tests for all aspects, obviously it is bad practice, but it is real. This is a simple 2 minute fix, but yes, you should have unit tests + test engineers. Thanks 💖
I think it would be possible to write malicious code that passes the unit tests. For example, what if the code in the article gave the user admin access if they are a legitimate admin or if their username is "fluffy-bunny"?
helpfull
Thanks!
Your first sample does not compile, I got
error CS1026: ) expectedwhile building with
dotnet buildand also I see the error in VSCode.I suspect it might depend of the file encoding
I love it
X5O!P%@ap [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H
Thanks for that!!!
As long as it is trusted there are no problems!
Perfect, if you want you can send us the pull request through github, and anything contact me at juan@dotnestafer.com, Thanks!
👏👏👏
Hi I am Chirag a full stack web developer. I dont think it affects me in any way or does it?
The example doesn't work for me. I tried to use VS17, VS19, VS22. I have such errors:
) expected
; expected
invalid expression term ''
Unexpected character ''
How to compile this example?