‘Trojan Source’ Bug Threatens the Security of All Code

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Language Social Networking Rust programming-language Compiler

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • gitlab

    • This was a pretty interesting thing to mitigate - I added some support around it to GitLab after it was reported to us, which shipped in the latest security release: https://gitlab.com/gitlab-org/gitlab/-/commit/3fb44197195b57... (you can actually see it in effect on that commit's examples, which is quite meta). These characters have valid use-cases in right-to-left languages like Arabic, Japanese etc, so it had to be configurable for project-owners if they have legitimate use-cases for it. Our focus was on making sure that repository maintainers could see these characters in code reviews.

    The homoglyph attack is interesting but it really should be noticed as part of a code review process, as it requires adding the imitation function calls at some point too. It'd also likely be pretty frustrating to end users if we were to highlight every single unicode character that looks like the latin alphabet.

    It's certainly a good lesson in not copy/pasting random snippets from the internet and pasting them into a root shell, however :D

    Aside: this was a royal pain in the arse to figure out if I had live examples in the specs, because vim also just rendered them "correctly". I ended up checking the files in Windows Notepad on another machine to sanity check them.

    Thanks to the authors for responsible disclosure.

  • rust

    Empowering everyone to build reliable and efficient software.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • Mastodon

    Your self-hosted, globally interconnected microblogging community

    • Yes, Mastodon has recently been discussing this. https://github.com/mastodon/mastodon/issues/2777

  • go

    The Go programming language

    • This issue has been raised before, such as at https://github.com/golang/go/issues/20209 (I was reminded of that by https://twitter.com/peter_szilagyi/status/145515080347229798...). There is some other interesting discussion there.

  • mimic

    [ab]using Unicode to create tragedy

    • This doesn't feel particularly new either? Isn't it pretty much a new variant of https://github.com/reinderien/mimic ?

    Which, if one is suspicious of code, can be defeated in vim with: set encoding=latin1

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts