Programming @programming.dev DarkPlayer @lemmy.world 1y ago

Unicode tricks in pull requests: Do review tools warn us?

semanticdiff.com Unicode tricks in pull requests: Do review tools warn us?

In this blog post I take a look at how well GitHub, GitLab and Bitbucket support reviewers in finding malicious code changes in pull requests.

18 comments

Homoglyphs? Invisible text? Bidirectional text? Just highlight every line that goes beyond ASCII with yellow warning colors and require to vet it. Maybe make localization data an exception.
- This doesn't work for code bases written in non-English languages. Especially east asian languages.
  
  Any line containing an identifier that is also a word would be highlighted.
  
  More and more programming languages are supporting unicode identifiers for this use case.
  
  So it won't work for 0.0001% of all github projects.
  
  Yeah, just don't. Allowing to code in anything other than English is a disservice, plain and simple.
  
  Inb4, I'm not being US-centric, Latin ain't even my native alphabet.
- Very simple solution actually. Here I was thinking we'd need AI to solve it.
  
  People would call that solution AI these days. If it has at least one if statement then they call it AI
  
  We say we have AI to get VC funding
- Or the non-ascii character itself.
  
  Doesn't work if it's invisible.
Website really struggled on mobile. Anytime I swipe to view the longer code lines in the code blocks it would open the sidebar. Very annoying.
- yeah I also hated it
- Had no trouble here on mobile.
  
  thank you for letting us know? :)
TL;DR: you could adopt good programming practices like "don't shadow mutable state" and "put constants first in a comparison" or you can pay us money so we show you obscure attempts to exploit your bad programming in code review ... maybe ...
Very interesting read

18 comments