About

ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.

If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.

This ESLint plugin is based on the library and command-line tool anti-trojan-source.

👋 Jan 2023 Update: This plugin inspired work to create an anti-trojan rule detect-bidi-characters in eslint-plugin-security and if you're already using that security plugin then it is advised to turn on that rule.

Install

npm install --save-dev eslint-plugin-anti-trojan-source

Usage

Once you've installed this plugin, add it to your eslint configuration as follows.

Manual

First, you need to define it as a plugin:

Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.

{
  "plugins": ["anti-trojan-source"]
}

Then, add an ESLint rule that halts if it finds a Trojan Source attack:

"rules": {
    "anti-trojan-source/no-bidi": "error"
}

Following is a complete example of configuration if you are defining ESLint configuration in your package.json file:

"eslintConfig": {
    "plugins": [
        "anti-trojan-source"
    ],
    "rules": {
        "anti-trojan-source/no-bidi": "error"
    }
}

Example output

The following is an example output when the plugin finds a Trojan Source attack in your codebase:

/Users/lirantal/projects/repos/@gigsboat/cli/index.js
  1:1  error  Detected potential trojan source attack with unicode bidi introduced in this comment: '‮ } ⁦if (isAdmin)⁩ ⁦ begin admins only '  anti-trojan-source/no-bidi
  1:1  error  Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only ‮ { ⁦'                    anti-trojan-source/no-bidi

/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
  2:1  error  Detected potential trojan source attack with unicode bidi introduced in this code: '"user‮ ⁦// Check if admin⁩ ⁦"'  anti-trojan-source/no-bidi