Unicode tricks in pull requests: Do review tools warn us?
Unicode tricks in pull requests: Do review tools warn us?
In this blog post I take a look at how well GitHub, GitLab and Bitbucket support reviewers in finding malicious code changes in pull requests.
You're viewing a single thread.
-
Homoglyphs? Invisible text? Bidirectional text? Just highlight every line that goes beyond ASCII with yellow warning colors and require to vet it. Maybe make localization data an exception.
-
This doesn't work for code bases written in non-English languages. Especially east asian languages.
Any line containing an identifier that is also a word would be highlighted.
More and more programming languages are supporting unicode identifiers for this use case.
-
So it won't work for 0.0001% of all github projects.
-
I'd suggest to have the occasional look at the "most popular repos" ranking. It's about 50% Chinese.
Super-interesting sometimes as it shows completely different tech trends.
-
I know right.
It's wild that an American company primarily doing business in the West would have a bias towards English.
-
-
Yeah, just don't. Allowing to code in anything other than English is a disservice, plain and simple.
Inb4, I'm not being US-centric, Latin ain't even my native alphabet.
-
-
Very simple solution actually. Here I was thinking we'd need AI to solve it.
-
People would call that solution AI these days. If it has at least one if statement then they call it AI
-
We say we have AI to get VC funding
-
-
Or the non-ascii character itself.
-
Doesn't work if it's invisible.
-
what about a box around it?
-
-
-