Bafuputsi ba Univesithi ea Cambridge ba phatlalalitse mokhoa oa ho kenya khoutu e mpe ka khutso ho khoutu ea mohloli e hlahlojoang ke lithaka. Mokhoa o lokiselitsoeng oa tlhaselo (CVE-2021-42574) o hlahisoa tlas'a lebitso la Trojan Source mme o thehiloe ho thehoeng ha mongolo o shebahalang o fapane bakeng sa moqapi / mofetoleli le motho ea bonang khoutu. Mehlala ea mokhoa ona e bontšoa bakeng sa baqapi le bafetoleli ba fapaneng ba fanoeng bakeng sa C, C++ (gcc le clang), C #, JavaScript (Node.js), Java (OpenJDK 16), Rust, Go le Python.
Mokhoa ona o itšetlehile ka tšebeliso ea litlhaku tse khethehileng tsa Unicode ho litlhaloso tsa khoutu tse fetolang tatellano ea pontšo ea mongolo oa bobeli. Ka thuso ea litlhaku tse joalo tsa taolo, likarolo tse ling tsa mongolo li ka hlahisoa ho tloha ho le letšehali ho ea ho le letona, ha tse ling - ho tloha ho le letona ho ea ho le letšehali. Mekhoeng ea letsatsi le letsatsi, litlhaku tse joalo tsa taolo li ka sebelisoa, ka mohlala, ho kenya mela ea khoutu ka Seheberu kapa Searabia faeleng. Empa haeba u kopanya mela e nang le litaelo tse fapaneng tsa mongolo moleng o le mong, u sebelisa litlhaku tse boletsoeng, litemana tsa mongolo tse hlahang ho tloha ho le letona ho ea ho le letšehali li ka fetana le mongolo o teng oa kamehla o bontšitsoeng ho tloha ho le letšehali ho ea ho le letona.
U sebelisa mokhoa ona, u ka eketsa mohaho o lonya ho khoutu, empa joale etsa hore mongolo o nang le mohaho ona o se ke oa bonahala ha u shebella khoutu, ka ho eketsa tlhaloso e latelang kapa ka har'a litlhaku tsa sebele tse bontšitsoeng ho tloha ho le letona ho ea ho le letšehali, tse tla lebisa ho ho feletseng. ditlhaku tse fapaneng tse phahamisitsoeng hodima kenyo e mpe. Khoutu e joalo e tla lula e nepahetse ka mokhoa oa semantically, empa e tla hlalosoa le ho bontšoa ka tsela e fapaneng.
Ha a ntse a hlahloba khoutu, moqapi o tla tobana le tatellano ea pono ea batho bao ho buuoang ka bona 'me o tla bona tlhaloso e sa belaetseng ho mohlophisi oa mongolo oa morao-rao, sebopeho sa websaete kapa IDE, empa moqapi le mofetoleli ba tla sebelisa tatellano e utloahalang ea batho bao ho buuoang ka bona. sebetsa ho kenya ka lonya joalo ka ha ho le joalo, ntle le ho ela hloko mongolo oa mahlakore a mabeli litlhalosong. Bothata bo ama bahlophisi ba khoutu ba fapaneng ba tsebahalang (VS Code, Emacs, Atom), hammoho le li-interfaces tsa ho shebella khoutu libakeng tsa polokelo (GitHub, Gitlab, BitBucket le lihlahisoa tsohle tsa Atlassian).
Ho na le litsela tse 'maloa tsa ho sebelisa mokhoa oa ho kenya ts'ebetsong liketso tse mpe: ho eketsa polelo e patiloeng ea "khutla", e lebisang ho phethoa ha mosebetsi pele ho nako; ho fana ka maikutlo a lipolelo tseo ka tloaelo li ka bonahalang e le liqapi tse nepahetseng (mohlala, ho thibela licheke tsa bohlokoa); ho abela litekanyetso tse ling tsa likhoele tse lebisang mefokolong ea netefatso ea likhoele.
Ka mohlala, mohlaseli a ka sisinya phetoho e kenyeletsang mohala: haeba access_level != "user{U+202E} {U+2066}// Sheba hore na ke admin{U+2069} {U+2066}" {
e tla hlahisoa sebopehong sa tlhahlobo joalo ka ha eka access_level != "mosebelisi" {// Sheba hore na ke admin
Ho feta moo, ho hlahisitsoe phapano e 'ngoe ea tlhaselo (CVE-2021-42694), e amanang le ts'ebeliso ea li-homoglyphs, litlhaku tse ts'oanang ka ponahalo, empa li fapane ka moelelo ebile li na le likhoutu tse fapaneng tsa unicode (mohlala, sebopeho "ɑ" se tšoana le " a”, “ɡ” - “g”, “ɩ” - “l”). Litlhaku tse ts'oanang li ka sebelisoa lipuong tse ling ka mabitso a mesebetsi le mefuta e fapaneng ho khelosa batho ba ntlafatsang. Mohlala, mesebetsi e 'meli e nang le mabitso a sa khetholleheng e ka hlalosoa e etsang liketso tse fapaneng. Ntle le tshekatsheko e e tseneletseng, ga go bonale sentle gore ke efe mo go tse pedi tse, e e bidiwang mo lefelong le le rileng.
E le mokhoa oa ts'ireletso, ho kgothaletswa hore bakopanyi, bafetoleli le lisebelisoa tsa kopano tse tšehetsang litlhaku tsa Unicode li bonts'e phoso kapa temoso haeba ho na le litlhaku tsa taolo tse sa sebetseng litlhalosong, li-trials, kapa li-identifiers tse fetolang tataiso ea tlhahiso (U+202A, U+202B, U +202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069, U+061C, U+200E le U+200F). Litlhaku tse joalo li tlameha ho haneloa ka ho hlaka ho litlhaloso tsa puo ea lenaneo 'me li lokela ho hlomphuoa ho bahlophisi ba khoutu le lihokelo tsa polokelo.
Sehlomathiso sa 1: Lipache tsa tlokotsi li lokiselitsoe GCC, LLVM/Clang, Rust, Go, Python le binutils. GitHub, Bitbucket le Jira le bona ba ile ba lokisa bothata. Tokiso ea GitLab e ntse e tsoela pele. Ho tseba khoutu e nang le bothata, ho khothaletsoa ho sebelisa taelo: grep -r $'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u2067\u2068\u2069\uXNUMX/' mohlodi
Tlatsetso ea 2: Russ Cox, e mong oa bahlahisi ba Plan 9 OS le puo ea lenaneo la Go, o ile a nyatsa tlhokomelo e feteletseng ho mokhoa o hlalositsoeng oa tlhaselo, oo e leng khale o tsejoa (Go, Rust, C ++, Ruby) mme ha oa ka oa nkoa ka botebo. . Ho ea ka Cox, bothata bo ameha haholo ka pontšo e nepahetseng ea tlhahisoleseding ho bahlophisi ba khoutu le li-interfaces tsa websaete, tse ka rarolloang ka ho sebelisa lisebelisoa tse nepahetseng le bahlahlobi ba khoutu nakong ea tlhahlobo. Ka hona, ho e-na le ho lebisa tlhokomelo ho litlhaselo tse inahaneloang, ho ka ba ho loketseng haholoanyane ho tsepamisa maikutlo ho ntlafatsa mekhoa ea ho hlahloba khoutu le ho itšetleha.
Ras Cox o boetse o lumela hore li-compilers ha se sebaka se nepahetseng sa ho lokisa bothata, kaha ka ho thibela matšoao a kotsi boemong ba motlatsi, ho ntse ho e-na le lera le leholo la lisebelisoa tseo ho tsona tšebeliso ea matšoao ana e ntse e amoheleha, joalo ka mekhoa ea ho haha, li-assemblers, batsamaisi ba liphutheloana le li-parser tse fapaneng tsa tlhophiso le data. Ka mohlala, morero oa Rust o fanoe, o neng o thibela ho sebetsa ha khoutu ea LTR / RTL ho moqapi, empa ha oa ka oa eketsa ho lokisoa ho mookameli oa sephutheloana sa Cargo, e lumellang tlhaselo e tšoanang ka faele ea Cargo.toml. Ka mokhoa o ts'oanang, lifaele tse kang BUILD.bazel, CMakefile, Cargo.toml, Dockerfile, GNUmakefile, Makefile, go.mod, package.json, pom.xml le needs.txt e ka fetoha mehloli ea litlhaselo.
Source: opennet.ru