Trojan Source Detector

by

A few hours ago the Trojan Source exploit went out of embargo, and we already have a tool to check for it. The source code, binaries, and an easy-to-use GitHub action are available on GitHub.

CVE-2021-42574 or Trojan Source involves a rather ingenious way to inject malicious code into open source repositories: use Unicode bidirectional characters to fool the reviewer into thinking that the code does something else than it actually does. Over the past few weeks vendors have scrambled to get a fix out for it under embargo, which lifted today.

Despite fixes now becoming available, Unicode is still hard and this is only the last in a line of exploits coming thanks to it. That’s why we are releasing a simple tool to check for Unicode usage, and the Trojan Source exploit in your repositories.

GitHub Actions ▲ Back to top

If you are using GitHub actions, you can simply add the following job:

jobs:
  trojansource:
    name: Trojan Source Detection
    runs-on: ubuntu-latest
    steps:
      # Checkout your project with git
      - name: Checkout
        uses: actions/checkout@v2
      # Run trojansourcedetector
      - name: Trojan Source Detector
        uses: haveyoudebuggedit/trojansourcedetector@v1

You can, of course, customize the configuration file in use (more on that later) by adding the config parameter:

jobs:
  trojansource:
    name: Trojan Source Detection
    runs-on: ubuntu-latest
    steps:
      # Checkout your project with git
      - name: Checkout
        uses: actions/checkout@v2
      # Run trojansourcedetector
      - name: Trojan Source Detector
        uses: haveyoudebuggedit/trojansourcedetector@v1
        with:
          config: path/to/config/file

Other CI systems ▲ Back to top

For other CI systems you can download the latest release in binary or source code form. It has no dependencies and runs on Linux, Windows, or MacOS.

You can run it like this:

# Linux/MacOS
./trojansourcedetector
# Windows
trojansourcedetector.exe

If you want to customize the config file, you can do so with the -config parameter.

Configuration ▲ Back to top

You can customize the behavior by providing a config file. This file is named .trojansourcedetector.json by default and has the following fields:

Field Description
directory Directory to run the check on. Defaults to the current directory.
include A list of files to include in the scan. Paths should always be written in Linux syntax with forward slashes and begin with the project directory. Basic pattern matching is supported via Go filepath. Defaults to empty (all files).
exclude A list of files to exclude from the scan. Paths should always be written in Linux syntax with forward slashes and begin with the project directory. Basic pattern matching is supported via Go filepath. Defaults to .git and all its subdirectories.
detect_unicode Alert for all non-ASCII unicode characters. Defaults to false.
detect_bidi Detect bidirectional control characters. These can cause the trojan source problem. Defaults to true.
parallelism How many files to check in parallel. Defaults to 10.