A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector

This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are no trojan source / unicode bi-directional text attacks in a pull request.

Usage

This utility can be used either on GitHub Actions:

jobs:
  trojansource:
    name: Trojan Source Detection
    runs-on: ubuntu-latest
    steps:
      # Checkout your project with git
      - name: Checkout
        uses: actions/checkout@v2
      # Run trojansourcedetector
      - name: Trojan Source Detector
        uses: haveyoudebuggedit/trojansourcedetector@v1

You can also run it on any CI system by simply downloading the released binary and running:

./trojansourcedetector

Configuration

You can customize the behavior by providing a config file. This file is named .trojansourcedetector.json by default and has the following fields:

Field Description
directory Directory to run the check on. Defaults to the current directory.
include A list of files to include in the scan. Paths should always be written in Linux syntax with forward slashes and begin with the project directory. Basic pattern matching is supported via Go filepath. Defaults to empty (all files).
exclude A list of files to exclude from the scan. Paths should always be written in Linux syntax with forward slashes and begin with the project directory. Basic pattern matching is supported via Go filepath. Defaults to .git and all its subdirectories.
detect_unicode Alert for all non-ASCII unicode characters. Defaults to false.
detect_bidi Detect bidirectional control characters. These can cause the trojan source problem. Defaults to true.
parallelism How many files to check in parallel. Defaults to 10.

For an example you can take a look at the .trojansourcedetector.json in this repository.

If you want to use a different file name, you can change your GitHub Actions config:

jobs:
  trojansource:
    name: Trojan Source Detection
    runs-on: ubuntu-latest
    steps:
      # Checkout your project with git
      - name: Checkout
        uses: actions/checkout@v2
      # Run trojansourcedetector
      - name: Trojan Source Detector
        uses: haveyoudebuggedit/trojansourcedetector@v1
        with:
          config: path/to/config/file

Or, if you are using the command line version, you can simply pass the -config option with the appropriate config file.

Building

This tool can be built using Go 1.17 or higher:

go build cmd/trojansourcedetector/main.go

Running tests

In order to run tests, you will need to run the following two commands:

go generate
go test -v ./...
Owner
Have you debugged.it?
A couple of software engineers
Have you debugged.it?
https://github.com/haveyoudebuggedit/trojansourcedetector
Comments
  • Added support for path globbing

    Added support for path globbing

    Please describe the change you are making

    This PR fixes #5 by adding a custom globbing library to match files. This library now supports the **/ expression. It also adds defaults for common binary files to fix #7.

    Your code will be released under the Unlicense into the public domain for everyone to use for any purpose. Are you in the position, and are you willing to release your code under this license?

    Yes

  • Avoiding non-source files

    Avoiding non-source files

    I am trying to integrate this tool in a build system like Buildroot, which downloads, extracts and builds various FOSS components. While just pointing trojansourcedetector to the source directory of each FOSS component, I noticed a lot of false positives due to binary (non-source) files, like images, font files, etc.

    I started using 'exclude' entries in the config file, but having to maintain such list from a generic build system is very cumbersome, as this list may change as FOSS component versions are updated. For example, here is the exclude list for python3 itself:

        "Doc/library/hashlib-blake2-tree.png",
    "Doc/library/pathlib-inheritance.png",
    "Doc/using/win_installer.png",
    "Lib/distutils/command/wininst-14.0.exe",
    "Lib/ensurepip/_bundled/pip-21.2.3-py3-none-any.whl",
    "Lib/ensurepip/_bundled/setuptools-57.4.0-py3-none-any.whl",
    "Lib/idlelib/Icons/idle_256.png",
    "Lib/idlelib/Icons/idle.ico",
    "Lib/test/audiodata/pluck-pcm24.aiff",
    "Lib/test/audiodata/pluck-pcm24.au",
    "Lib/test/audiodata/pluck-pcm32.aiff",
    "Lib/test/audiodata/pluck-pcm32.au",
    "Mac/BuildScript/resources/background.jpg",
    "Mac/Icons/IDLE.icns",
    "Mac/Icons/PythonCompiled.icns",
    "Mac/Icons/Python Folder.icns",
    "Mac/IDLE/IDLE.app/Contents/Resources/IDLE.icns",
    "Mac/IDLE/IDLE.app/Contents/Resources/PythonCompiled.icns",
    "Mac/Resources/iconsrc/IDE.psd",
    "PC/icons/launcher.icns",
    "PC/icons/pyc.icns",
    "PC/icons/pyd.icns",
    "PC/icons/python.icns",
    "PC/icons/python.ico",
    "PC/icons/pythonw.icns",
    "PC/icons/pythonw.ico",
    "PC/icons/pythonx150.png",
    "PC/icons/setup.icns",
    "Tools/msi/bundle/SideBar.png",

    A more expressive glob feature as suggested in issue #5 could perhaps help, but I wonder if there are other approaches.

    Can the tool make the distinction between 'source' files and 'binary' files? A common approach for this is to check for the presence of a null character, but for this case I think it allows for a too easy backdoor for an adversary: adding such null byte in real source code could go unnoticed too.

  • Ignore gosec linter G307 for file Close.

    Ignore gosec linter G307 for file Close.

    Please describe the change you are making

    The linter is failing, preventing a release. ...

    Your code will be released under the Unlicense into the public domain for everyone to use for any purpose. Are you in the position, and are you willing to release your code under this license?

    Yes! ...

  • GHA plugin does not respect config parameter (with.config)

    GHA plugin does not respect config parameter (with.config)

    The problem

    When providing an alternative configuration file, using the .with.config as outlined in the documentation;

          # Run trojansourcedetector
      - name: Trojan Source Detector
        uses: haveyoudebuggedit/trojansourcedetector@v1
        with:
          config: path/to/config/file

    the observed behavior is that this configuration is not used at all and the plugin will always try to load .trojansourcedetector.json from your repository.

    Expected behavior Have the GHA plugin using the provided path/to/config/file.

    The solution I believe in the action.yml one step is omitted, which would pass the config input as an argument to the docker image. I will attach a PR.

  • Fixes #10: Don't scan symlinks, device nodes, named pipes, etc

    Fixes #10: Don't scan symlinks, device nodes, named pipes, etc

    Please describe the change you are making

    This PR fixes #10 and ignores all non-file special filesystem entries.

    Your code will be released under the Unlicense into the public domain for everyone to use for any purpose. Are you in the position, and are you willing to release your code under this license?

    Yes

  • Fails on symbolic links to directories

    Fails on symbolic links to directories

    For example in the Linux kernel sources:

    {"name":"failed to read file","file":"scripts/dtc/include-prefixes/arc","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/arc: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/arm","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/arm: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/arm64","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/arm64: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/c6x","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/c6x: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/dt-bindings","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/dt-bindings: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/h8300","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/h8300: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/microblaze","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/microblaze: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/sh","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/sh: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/mips","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/mips: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/nios2","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/nios2: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/openrisc","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/openrisc: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/powerpc","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/powerpc: is a directory"}
{"name":"failed to read file","file":"scripts/dtc/include-prefixes/xtensa","line":1,"column":1,"details":"read scripts/dtc/include-prefixes/xtensa: is a directory"}

    These are all symbolic links to a directory:

    $ ls -l scripts/dtc/include-prefixes/
total 0
lrwxrwxrwx 1 tdescham tdescham 26 Dec  2 09:55 arc -> ../../../arch/arc/boot/dts
lrwxrwxrwx 1 tdescham tdescham 26 Dec  2 09:55 arm -> ../../../arch/arm/boot/dts
lrwxrwxrwx 1 tdescham tdescham 28 Dec  2 09:55 arm64 -> ../../../arch/arm64/boot/dts
lrwxrwxrwx 1 tdescham tdescham 26 Dec  2 09:55 c6x -> ../../../arch/c6x/boot/dts
lrwxrwxrwx 1 tdescham tdescham 28 Dec  2 09:55 dt-bindings -> ../../../include/dt-bindings
lrwxrwxrwx 1 tdescham tdescham 28 Dec  2 09:55 h8300 -> ../../../arch/h8300/boot/dts
lrwxrwxrwx 1 tdescham tdescham 33 Dec  2 09:55 microblaze -> ../../../arch/microblaze/boot/dts
lrwxrwxrwx 1 tdescham tdescham 27 Dec  2 09:55 mips -> ../../../arch/mips/boot/dts
lrwxrwxrwx 1 tdescham tdescham 28 Dec  2 09:55 nios2 -> ../../../arch/nios2/boot/dts
lrwxrwxrwx 1 tdescham tdescham 31 Dec  2 09:55 openrisc -> ../../../arch/openrisc/boot/dts
lrwxrwxrwx 1 tdescham tdescham 30 Dec  2 09:55 powerpc -> ../../../arch/powerpc/boot/dts
lrwxrwxrwx 1 tdescham tdescham 25 Dec  2 09:55 sh -> ../../../arch/sh/boot/dts
lrwxrwxrwx 1 tdescham tdescham 29 Dec  2 09:55 xtensa -> ../../../arch/xtensa/boot/dts
  • Fixes #9: Dockerfile does not work the same as the CLI version

    Fixes #9: Dockerfile does not work the same as the CLI version

    Please describe the change you are making

    This PR fixes #9 and adds a generally-usable Dockerfile. It also pushes to the GitHub Container Registry for container-based usage.

    Your code will be released under the Unlicense into the public domain for everyone to use for any purpose. Are you in the position, and are you willing to release your code under this license?

    Yes

  • main: add newline to 'No errors found' message

    main: add newline to 'No errors found' message

    Please describe the change you are making

    The 'success' message did not end in a newline character, causing unexpected indentation of subsequent messages when this tool is used in a build process.

    Your code will be released under the Unlicense into the public domain for everyone to use for any purpose. Are you in the position, and are you willing to release your code under this license?

    Yes

Related tags
Security trojansourcedetector
🔎 Help find Trojan Source vulnerability in code 👀 . Useful for code review in project with multiple collaborators

TrojanSourceFinder TrojanSourceFinder helps developers detect "Trojan Source" vulnerability in source code. Trojan Source vulnerability allows an atta

Nov 9, 2022
Small utility package for stealing tokens from other processes and using them in current threads, or duplicating them and starting other processes

getsystem small utility for impersonating a user in the current thread or starting a new process with a duplicated token. must already be in a high in

Dec 24, 2022
A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

Dent More Information If you want to learn more about the techniques utlized in this framework please take a look at this article. Description This fr

Dec 2, 2022
Log4j detector and reporting server for scalable detection of vulnerable running processes.

Log4j Detector A client and reporting server to identify systems vulnerable to Log4j at scale. This work is based on Stripe's Remediation Tools, but w

Apr 8, 2022
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
 A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.

Introduction Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third par

Dec 28, 2022
A Log4J Version 2 Detector written in golang

Installation From source: go install github.com/juergenhoetzel/log4j2go/cmd/log4

Dec 20, 2021
Git watchdog will scan your public repository and find out the vulnerabilities

Dependencies Docker Go 1.17 MySQL 8.0.25 Bootstrap Run chmod +x start.sh if start.sh script does not have privileged to run Run ./start.sh --bootstrap

Dec 30, 2021
🍷 Find exploits and vulnerabilities in the most important databases.
 🍷 Find exploits and vulnerabilities in the most important databases.

?? Dionisio Dionisio is a tool that can automate the search for exploits and vulnerabilities. Written in Go and open source, Dionisio has an advanced

Mar 14, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.
 Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

Nov 9, 2022
CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.
 CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security signals for open source package versions.

depsdev CLI client (and Golang module) for deps.dev API. Free access to dependencies, licenses, advisories, and other critical health and security sig

May 11, 2023
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Jan 3, 2023
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Dec 8, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
 A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022
A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
 A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple to

Dec 31, 2022
SandboxPPL - Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted
 SandboxPPL - Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted

SandboxPPL Golang PoC that sandboxes Defender (or other PPL) by setting its toke

Jul 1, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
 DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Dec 27, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
 EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

Dec 10, 2022
SingularityCE is the Community Edition of Singularity, an open source container platform designed to be simple, fast, and secure.

SingularityCE Guidelines for Contributing Pull Request Template Project License Documentation Support Citation SingularityCE is the Community Edition

Jan 5, 2023
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
 mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022