gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

feature: add rule for trojan source

Open kfess opened this issue 3 weeks ago • 3 comments

Description

Add rule to detect Trojan Source attacks (CVE-2021-42574) using bidirectional Unicode control characters as G116.

The rule scans entire file content to detect dangerous bidirectional text control characters:

RLO (U+202E), LRI/RLI/FSI (U+2066/2067/2068), LRE/RLE (U+202A/202B), PDF (U+202C), LRO (U+202D), RLM/LRM (U+200F/200E)

References:

  • https://trojansource.codes/trojan-source.pdf
  • https://www.compart.com/en/unicode/U+200f
  • https://www.compart.com/en/unicode/U+200e

Fixes

Issue: #1429

Comment

testutils/g116_samples.go uses #nosec because G116 scans entire file content (not just AST nodes but also comments). The test file contains actual bidirectional Unicode characters to verify detection works correctly. Without #nosec, gosec would flag its own test samples when running make test.

kfess avatar Dec 02 '25 16:12 kfess

Please can you rebase this pull request? Thanks

ccojocar avatar Dec 03 '25 13:12 ccojocar

Thanks for the review. I've updated the implementation to use bufio.Scanner instead of os.ReadFile for better memory efficiency.

I evaluated the memory efficiency with /usr/bin/time on a large project (kubernetes/kubernetes, 10,123 files):

/usr/bin/time -v go run ./cmd/gosec/ --include=G116 ../kubernetes/...
  • Before (ReadFile): 342 MB
  • After (Scanner): 194 MB

I also rebased the commits.

kfess avatar Dec 06 '25 09:12 kfess

It seems that there are still some lint issues. PTAL thanks

ccojocar avatar Dec 08 '25 09:12 ccojocar

:warning: Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

:x: Patch coverage is 89.18919% with 4 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 64.54%. Comparing base (1216c9b) to head (a94b325). :warning: Report is 142 commits behind head on master.

Files with missing lines Patch % Lines
rules/trojansource.go 88.88% 2 Missing and 2 partials :warning:
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1431      +/-   ##
==========================================
- Coverage   68.49%   64.54%   -3.96%     
==========================================
  Files          75       78       +3     
  Lines        4384     4716     +332     
==========================================
+ Hits         3003     3044      +41     
- Misses       1233     1524     +291     
  Partials      148      148

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov-commenter avatar Dec 11 '25 09:12 codecov-commenter

Sorry for the late response. Thank you for fixing the linter error.

kfess avatar Dec 11 '25 09:12 kfess

I forgot to add the new rule to the README. Should I open a PR for that?

kfess avatar Dec 11 '25 09:12 kfess