gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

Feature request: Add check for Trojan Source attacks (CVE-2021-42574)

Open kfess opened this issue 3 weeks ago • 1 comments

Feature request

gosec currently does not detect Trojan Source attacks (CVE-2021-42574). This attack uses Unicode bidirectional control characters to make source code appear different to reviewers than what compilers actually execute.

What I would like to add

Add a new rule that detects Unicode Bidi control characters in source code.

Additional context

  • Bandit (Python) already has this check as B613
  • Reference: https://trojansource.codes/

I'm happy to submit a PR if this feature is welcomed.

kfess avatar Nov 30 '25 02:11 kfess

I'd like to work on this feature. I will submit a PR to add a new rule.

kfess avatar Dec 02 '25 13:12 kfess

fixed by #1431

ccojocar avatar Dec 11 '25 09:12 ccojocar