Open nifey opened 2 years ago
@nifey This is brilliant! Thanks for posting this.
This is a fascinating variant of the attack, and I want to look deeper into what else can be done with this technique.
I'm going to test this against each of the languages that we're currently evaluating, and then will circle back with an accepted PR merge and likely some additional commits soon.
Thanks @nickboucher , I have pushed a simplified version of the POC with Bidi overrides in only one line (instead of 2). Hope this is useful.
Actually, I cooked up some examples for a talk about Trojan source attacks that I gave in a meetup. Later realized that the example was slightly different than the commenting out variant given in the paper, since it comments out multiple lines and also cannot be detected by scanning for unterminated bidi overrides. So I thought of posting it here.
By using the Zero Width Space character between */ in line 5, we can comment lines beyond the current line with Bidi characters.
Interestingly, Github UI does not show the zero width space character in its warning.