eslint-plugin-anti-trojan-source
Detect trojan source attacks that employ unicode bidi attacks to inject malicious code
About
ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.
If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
Install
npm install --save-dev eslint-plugin-anti-trojan-source
Usage example
Once you've installed this plugin, add it to your eslint configuration as follows.
First, you need to define it as a plugin:
Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.
{
"plugins": ["anti-trojan-source"]
}
Then, add an ESLint rule that halts if it finds a Trojan Source attack:
"rules": {
"anti-trojan-source/no-bidi": "error"
}
Following is a complete example of configuration if you are defining ESLint configuration in your package.json
file:
"eslintConfig": {
"plugins": [
"anti-trojan-source"
],
"rules": {
"anti-trojan-source/no-bidi": "error"
}
}
Example output
The following is an example output when the plugin finds a Trojan Source attack in your codebase:
/Users/lirantal/projects/repos/@gigsboat/cli/index.js
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' } if (isAdmin) begin admins only ' anti-trojan-source/no-bidi
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only { ' anti-trojan-source/no-bidi
/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
2:1 error Detected potential trojan source attack with unicode bidi introduced in this code: '"user // Check if admin "' anti-trojan-source/no-bidi
Author
eslint-plugin-anti-trojan-source © Liran Tal, Released under the Apache-2.0 License.