ESLint plugin to detect and stop Trojan Source attacks
APACHE-2.0 License
ESLint plugin to detect and stop Trojan Source attacks from entering your codebase.
If you're unaware of what Trojan Source attacks are, or how unicode characters injected into a codebase could be used in malicious ways, refer to the README of the anti-trojan-source source code repository.
This ESLint plugin is based on the library and command-line tool anti-trojan-source.
👋 Jan 2023 Update:
This plugin inspired work to create an anti-trojan rule detect-bidi-characters
in eslint-plugin-security and if you're already using that security plugin then it is advised to turn on that rule.
npm install --save-dev eslint-plugin-anti-trojan-source
Once you've installed this plugin, add it to your eslint configuration as follows.
This plugin exports a recommended
configuration.
To enable this configuration, extend it in the configuration for your project.
{
"extends": ["eslint:recommended", "plugin:anti-trojan-source/recommended"]
}
First, you need to define it as a plugin:
Note: ESLint plugins can have their eslint-plugin prefix omitted when they are specified.
{
"plugins": ["anti-trojan-source"]
}
Then, add an ESLint rule that halts if it finds a Trojan Source attack:
"rules": {
"anti-trojan-source/no-bidi": "error"
}
Following is a complete example of configuration if you are defining ESLint configuration in your package.json
file:
"eslintConfig": {
"plugins": [
"anti-trojan-source"
],
"rules": {
"anti-trojan-source/no-bidi": "error"
}
}
The following is an example output when the plugin finds a Trojan Source attack in your codebase:
/Users/lirantal/projects/repos/@gigsboat/cli/index.js
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' } if (isAdmin) begin admins only ' anti-trojan-source/no-bidi
1:1 error Detected potential trojan source attack with unicode bidi introduced in this comment: ' end admin only { ' anti-trojan-source/no-bidi
/Users/lirantal/projects/repos/@gigsboat/cli/lib/helper.js
2:1 error Detected potential trojan source attack with unicode bidi introduced in this code: '"user // Check if admin "' anti-trojan-source/no-bidi
eslint-plugin-anti-trojan-source © Liran Tal, Released under the Apache-2.0 License.