Ndị na-eme nchọpụta na Mahadum Cambridge ebipụtala usoro maka itinye koodu ọjọọ n'ime nzuzo n'ime koodu isi mmalite ndị ọgbọ nyochara. A na-ewepụta usoro ọgụ a kwadebere (CVE-2021-42574) n'okpuru aha Trojan Source ma dabere na nhazi ederede dị iche maka onye nchịkọta / onye ntụgharị okwu na onye na-elele koodu ahụ. E gosiputara ihe atụ nke usoro a maka ndị nchịkọta na ndị ntụgharị okwu dị iche iche ewepụtara maka C, C++ (gcc na clang), C#, JavaScript (Node.js), Java (OpenJDK 16), Rust, Go na Python.
Usoro a dabere na iji mkpụrụedemede Unicode pụrụ iche na nkọwa koodu na-agbanwe usoro ngosi nke ederede bidirectional. Site n'enyemaka nke mkpụrụedemede njikwa dị otú ahụ, akụkụ ụfọdụ nke ederede nwere ike igosi site n'aka ekpe gaa n'aka nri, ebe ndị ọzọ - site n'aka nri gaa n'aka ekpe. Na omume kwa ụbọchị, enwere ike iji mkpụrụedemede njikwa dị otú ahụ, dịka ọmụmaatụ, itinye ahịrị koodu na Hibru ma ọ bụ Arabic n'ime faịlụ. Mana ọ bụrụ na ijikọ ahịrị nwere ntụzịaka ederede dị iche iche n'otu ahịrị, na-eji mkpụrụedemede akọwapụtara, akụkụ ederede egosipụtara site n'aka nri gaa n'aka ekpe nwere ike machie ederede oge niile nke egosiri site n'aka ekpe gaa n'aka nri.
N'iji usoro a, ị nwere ike itinye ihe arụrụ arụ na koodu ahụ, ma mee ka ederede a na-emepụta ihe a na-adịghị ahụ anya mgbe ị na-elele koodu ahụ, site n'ịgbakwunye na nkọwa na-esonụ ma ọ bụ n'ime mkpụrụedemede nkịtị egosiri site n'aka nri gaa n'aka ekpe, nke ga-eduga kpamkpam. a na-atụkwasị mkpụrụedemede dị iche iche na ntinye obi ọjọọ. Koodu dị otú ahụ ga-anọgide na-abụ nke ziri ezi, mana a ga-atụgharị ya ma gosipụta ya n'ụzọ dị iche.
Mgbe ị na-enyocha koodu, onye nrụpụta ga-eche ihu n'usoro ihe ngosi nke mkpụrụedemede ahụ ma hụ okwu na-adịghị enyo enyo na editọ ederede ọgbara ọhụrụ, interface webụ ma ọ bụ IDE, mana onye nchịkọta na onye ntụgharị ga-eji usoro ezi uche dị na ya nke mkpụrụedemede ahụ wee mee. hazie ntinye obi ọjọọ dị ka ọ dị, na-etinyeghị uche na ederede bidirectional na nkọwa. Nsogbu a na-emetụta ndị editọ koodu dị iche iche (VS Code, Emacs, Atom), yana oghere maka ịlele koodu na ebe nchekwa (GitHub, Gitlab, BitBucket na ngwaahịa Atlassian niile).
Enwere ọtụtụ ụzọ isi jiri usoro ahụ mejuputa omume ọjọọ: na-agbakwụnye okwu "nlaghachi" zoro ezo, nke na-eduga n'ịmecha ọrụ ahụ tupu oge eruo; na-akọwapụta okwu ndị a na-ahụkarị dị ka ihe arụrụ arụ (dịka ọmụmaatụ, iji gbanyụọ ndenye ego dị mkpa); ekenye ụkpụrụ eriri ndị ọzọ na-eduga ọdịda nkwado eriri.
Dịka ọmụmaatụ, onye na-awakpo nwere ike ịtụpụta mgbanwe nke gụnyere ahịrị: ọ bụrụ access_level != "onye ọrụ{U+202E} {U+2066}// Lelee ma ọ bụrụ nchịkwa{U+2069} {U+2066}" {
nke a ga-egosipụta na interface nyocha dị ka a ga - asị na access_level ! = "onye ọrụ" {// Lelee ma ọ bụrụ onye nchịkwa
Na mgbakwunye, atụpụtala ụdị ọgụ ọzọ (CVE-2021-42694), jikọtara ya na iji homoglyphs, mkpụrụedemede ndị yiri n'ọdịdị, mana dị iche na nkọwa ma nwee koodu unicode dị iche iche (dịka ọmụmaatụ, agwa “ɑ” yiri “ a", "ɡ" - "g", "ɩ" - "l"). Enwere ike iji mkpụrụedemede ndị yiri ya n'asụsụ ụfọdụ n'aha ọrụ na mgbanwe iji duhie ndị mmepe. Dịka ọmụmaatụ, enwere ike ịkọwa ọrụ abụọ nwere aha na-enweghị ike ịmata nke na-eme omume dị iche iche. Na-enweghị nyocha zuru ezu, ọ bụghị ozugbo nke a na-akpọ ọrụ abụọ a n'otu ebe.
Dịka ihe nchekwa, a na-atụ aro ka ndị nchịkọta, ndị ntụgharị na ngwaọrụ mgbakọ na-akwado mkpụrụedemede Unicode gosipụtara mperi ma ọ bụ ịdọ aka ná ntị ma ọ bụrụ na enwere mkpụrụedemede njikwa enweghị ọnụ na nkọwa, mkpụrụedemede eriri, ma ọ bụ ihe nchọpụta na-agbanwe ntụzịaka nke mmepụta (U+202A, U+202B, U +202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C, U+200E na U+200F). Ekwesịrị ka amachibidoro mkpụrụedemede ndị dị otú ahụ n'ụzọ doro anya na nkọwapụta asụsụ mmemme na ekwesịrị ịsọpụrụ ya na ndị ndezi koodu na ebe nchekwa.
Addendum 1: A kwadoro patches adịghị ike maka GCC, LLVM/Clang, Rust, Go, Python na binutils. GitHub, Bitbucket na Jira doziri okwu a. Ndozi maka GitLab na-aga n'ihu. Iji chọpụta koodu nsogbu, a na-atụ aro ka iji iwu a: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069\uXNUMX/'' isi iyi
Addendum 2: Russ Cox, otu n'ime ndị mmepe nke Plan 9 OS na asụsụ mmemme Go, katọrọ nlebara anya gabigara ókè na usoro ọgụ a kọwara, nke amatala ogologo oge (Go, Rust, C ++, Ruby) na ejighị ya kpọrọ ihe. . Dị ka Cox si kwuo, nsogbu ahụ na-emetụta nhụsianya ziri ezi nke ozi na ndị editọ koodu na ebe nrụọrụ weebụ, nke a ga-edozi site na iji ngwaọrụ ziri ezi na ndị nyocha koodu n'oge nyocha. Ya mere, kama ịdọrọ uche gaa na mbuso agha, ọ ga-abụ ihe kwesịrị ekwesị ilekwasị anya na imeziwanye koodu na usoro nyocha ndabere.
Ras Cox kwenyekwara na ndị na-emepụta ihe abụghị ebe kwesịrị ekwesị iji dozie nsogbu ahụ, ebe ọ bụ na site n'ịmachibido akara ngosi dị ize ndụ na ọkwa nchịkọta, a ka nwere nnukwu ngwá ọrụ nke iji akara ndị a na-anabata, dị ka usoro iwu ụlọ, ndị na-agbakọta. ndị njikwa ngwugwu na nhazi nhazi dị iche iche na data. Dị ka ihe atụ, a na-enye ọrụ Rust, nke machibidoro nhazi nke koodu LTR / RTL na nchịkọta, ma agbakwunyeghị ihe ndozi na njikwa ngwugwu Cargo, nke na-enye ohere ọgụ yiri nke ahụ site na faịlụ Cargo.toml. N'otu aka ahụ, faịlụ dị ka BUILD.bazel, CMakefile, Cargo.toml, Dockerfile, GNUmakefile, Makefile, go.mod, package.json, pom.xml na chọrọ.txt nwere ike ịghọ isi iyi nke mbuso agha.
isi: opennet.ru