Masu bincike daga Jami'ar Cambridge sun buga wata dabara don shigar da muggan code cikin shiru cikin lambar tushe da aka yi bita na tsara. Hanyar harin da aka shirya (CVE-2021-42574) an gabatar da shi a ƙarƙashin sunan Tushen Trojan kuma ya dogara ne akan samuwar rubutu wanda ya bambanta ga mai tarawa / mai fassara da mutumin da ke kallon lambar. Ana nuna misalan hanyar don masu tarawa da masu fassara daban-daban waɗanda aka kawo don C, C++ (gcc da clang), C#, JavaScript (Node.js), Java (OpenJDK 16), Tsatsa, Go da Python.
Hanyar ta dogara ne akan amfani da haruffan Unicode na musamman a cikin maganganun lamba waɗanda ke canza tsarin nuni na rubutun bidirection. Tare da taimakon irin waɗannan haruffan sarrafawa, ana iya nuna wasu sassan rubutun daga hagu zuwa dama, yayin da wasu - daga dama zuwa hagu. A cikin aikin yau da kullun, ana iya amfani da irin waɗannan haruffan sarrafawa, alal misali, don saka layukan lambobi a cikin Ibrananci ko Larabci cikin fayil. Amma idan kun haɗa layi tare da kwatancen rubutu daban-daban a cikin layi ɗaya, ta amfani da takamaiman haruffa, sassan rubutun da aka nuna daga dama zuwa hagu na iya mamaye rubutun yau da kullun da ake nunawa daga hagu zuwa dama.
Yin amfani da wannan hanyar, zaku iya ƙara ƙirar ƙira zuwa lambar, amma sannan ku sanya rubutun tare da wannan ginin baya ganuwa yayin kallon lambar, ta ƙara a cikin sharhin da ke gaba ko cikin ainihin haruffan da aka nuna daga dama zuwa hagu, wanda zai haifar da gaba ɗaya. Haruffa daban-daban da ake ɗorawa akan shigar da mugunta. Irin wannan lambar za ta kasance daidai a ma'anar ma'anar, amma za a fassara ta kuma a nuna ta daban.
Yayin nazarin lambar, mai haɓakawa zai fuskanci tsari na gani na haruffa kuma zai ga sharhi maras tabbas a cikin editan rubutu na zamani, mahaɗar yanar gizo ko IDE, amma mai tarawa da fassarar za su yi amfani da tsari na ma'ana na haruffa kuma za aiwatar da shigar da mugunta kamar yadda yake, ba tare da kula da rubutun bidirectional a cikin sharhi ba. Matsalar tana shafar mashahuran editocin lambar (VS Code, Emacs, Atom), da kuma musaya don duba lambar a cikin ma'ajin (GitHub, Gitlab, BitBucket da duk samfuran Atlassian).
Akwai hanyoyi da yawa don amfani da hanyar don aiwatar da ayyuka masu banƙyama: ƙara kalmar "dawowa" da ke ɓoye, wanda ke kaiwa ga kammala aikin a gaba; yin sharhin maganganun da yawanci za a iya gani a matsayin ingantattun gine-gine (misali, don kashe mahimman cak); ba da wasu ƙimar kirtani waɗanda ke haifar da gazawar ingancin kirtani.
Misali, mai hari zai iya ba da shawarar canji wanda ya haɗa da layi: idan access_level != "mai amfani{U+202E} {U+2066}// Duba idan admin{U+2069} {U+2066}" {U+XNUMX}
wanda za a nuna a cikin dubawar dubawa kamar access_level ! = "mai amfani" {// Duba idan admin
Bugu da ƙari, an gabatar da wani bambance-bambancen harin (CVE-2021-42694), wanda ke da alaƙa da amfani da homoglyphs, haruffa waɗanda suke kama da kamanni, amma sun bambanta da ma'ana kuma suna da lambobin unicode daban-daban (misali, halin “ɑ” yayi kama da “ a", "ɡ" - "g", "ɩ" - "l"). Ana iya amfani da haruffa iri ɗaya a cikin wasu harsuna a cikin sunayen ayyuka da masu canji don yaudarar masu haɓakawa. Misali, ana iya bayyana ayyuka biyu masu sunaye waɗanda ba za a iya bambanta su ba waɗanda ke yin ayyuka daban-daban. Idan ba tare da cikakken bincike ba, ba a bayyana nan da nan wanene daga cikin waɗannan ayyuka biyu ake kira a wani takamaiman wuri ba.
A matsayin ma'aunin tsaro, ana ba da shawarar cewa masu tarawa, masu fassara, da kayan aikin haɗin gwiwa waɗanda ke goyan bayan haruffa Unicode su nuna kuskure ko faɗakarwa idan akwai haruffan sarrafawa marasa haɗin gwiwa a cikin sharhi, ainihin kirtani, ko masu ganowa waɗanda ke canza alkiblar fitarwa (U+202A, U+202B, U +202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C, U+200E da U+200F). Hakanan ya kamata a haramta irin waɗannan haruffa a bayyane a cikin ƙayyadaddun harshe na shirye-shirye kuma ya kamata a mutunta su a cikin masu gyara lamba da mu'amalar ma'ajiya.
Addendum 1: An shirya facin rashin ƙarfi don GCC, LLVM/Clang, Tsatsa, Go, Python da binutils. GitHub, Bitbucket da Jira suma sun gyara matsalar. Ana ci gaba da gyara GitLab. Don gano lambar matsala, ana ba da shawarar amfani da umarnin: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069/' tushe
Addendum 2: Russ Cox, ɗaya daga cikin masu haɓaka shirin 9 OS da harshen shirye-shirye na Go, ya soki kulawar da ta wuce kima ga hanyar harin da aka kwatanta, wanda aka dade da saninsa (Go, Rust, C ++, Ruby) kuma ba a ɗauke shi da mahimmanci ba. . A cewar Cox, matsalar galibi ta shafi daidaitaccen nunin bayanai a cikin masu gyara lamba da mu'amalar yanar gizo, wanda za'a iya magance su ta hanyar amfani da ingantattun kayan aiki da masu tantance lambobin yayin bita. Sabili da haka, maimakon jawo hankali ga hare-haren hasashe, zai fi dacewa a mai da hankali kan inganta lambobi da hanyoyin bita na dogaro.
Har ila yau Ras Cox ya yi imanin cewa masu tarawa ba wuri ne da ya dace don gyara matsalar ba, tun da ta hanyar hana alamomi masu haɗari a matakin mai tarawa, akwai sauran manyan kayan aikin da ake amfani da su a cikin abin da ake amfani da waɗannan alamomin, kamar tsarin ginawa, masu tarawa. fakitin manajoji da daban-daban sanyi parsers da bayanai. A matsayin misali, an ba da aikin Rust, wanda ya haramta sarrafa lambar LTR/RTL a cikin mai tarawa, amma bai ƙara gyara ba ga mai sarrafa fakitin Cargo, wanda ke ba da damar irin wannan harin ta hanyar fayil ɗin Cargo.toml. Hakazalika, fayiloli irin su BUILD.bazel, CMakefile, Cargo.toml, Dockerfile, GNUmakefile, Makefile, go.mod, package.json, pom.xml da bukatun.txt na iya zama tushen hare-hare.
source: budenet.ru