Implement queries to detect Trojan Source

[olivierlefloch]

Does CodeQL have plans to implement automated detection of attempts to exploit the Trojan Source vulnerabilities that have been recently publicized?

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

For instance, it seems right now that CodeQL with security-and-quality enabled does not raise any issues on the proof of concept repository for this security research paper: https://github.com/nickboucher/trojan-source

[KIT-GregC]

Has this been implemented yet? This is extremely urgent.

[tausbn]

Thank you for your question!

We are currently working on figuring out how to best flag up these kinds of vulnerabilities (and indeed whether CodeQL is the right tool for this particular job).

Note that if a file contains one of these uses of bidirectional input, then GitHub already alerts the user to this fact as described on the GitHub blog here.

[evankanderson]

Is this still outstanding?

We'd like to be able to block code commits that include these characters; we're currently planning to maintain our own action, but would love to be able to roll this into codeql.