Unicode tricks in pull requests: Do review tools warn us?
Unicode tricks in pull requests: Do review tools warn us?
In this blog post I take a look at how well GitHub, GitLab and Bitbucket support reviewers in finding malicious code changes in pull requests.
You're viewing a single thread.
Homoglyphs? Invisible text? Bidirectional text? Just highlight every line that goes beyond ASCII with yellow warning colors and require to vet it. Maybe make localization data an exception.
44 0 ReplyThis doesn't work for code bases written in non-English languages. Especially east asian languages.
Any line containing an identifier that is also a word would be highlighted.
More and more programming languages are supporting unicode identifiers for this use case.
12 0 ReplySo it won't work for 0.0001% of all github projects.
11 0 ReplyI'd suggest to have the occasional look at the "most popular repos" ranking. It's about 50% Chinese.
Super-interesting sometimes as it shows completely different tech trends.
5 0 ReplyI know right.
It's wild that an American company primarily doing business in the West would have a bias towards English.
1 0 Reply
Yeah, just don't. Allowing to code in anything other than English is a disservice, plain and simple.
Inb4, I'm not being US-centric, Latin ain't even my native alphabet.
6 0 Reply
Very simple solution actually. Here I was thinking we'd need AI to solve it.
6 0 ReplyPeople would call that solution AI these days. If it has at least one if statement then they call it AI
16 0 ReplyWe say we have AI to get VC funding
3 0 Reply
Or the non-ascii character itself.
1 0 ReplyDoesn't work if it's invisible.
3 0 Replywhat about a box around it?
1 0 Reply