Prevent TrojanSourceInjection in gitk

[vn971]

Hi! Could gitk (and if possible git gui) please implement protections against "trojan source injection"?

In short, as a developer that reviews other people's code (and potentially decides on merging), I would like to see the code and diffs in a safe way that protects me from said attack. E.g. if somebody submits malicious merge request to my repo, I want to see that from gitk / git gui.

Example of such source code can be seen here: https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

Missing this type of injection could be catastrophic

[vn971]

Or simply inlining the example right here:

string access_level = "user";
if (access_level != "user"⁦) //Check if admin 
{    
  Console.WriteLine("You are an admin."); 
}

(Taken from here https://dev.to/dotnetsafer/rip-copy-and-paste-from-stackoverflow-trojan-source-solution-4p8f )

Yes, the code that you see above is NOT what it looks like. In reality access_level is not compared to "user" in the above code. In GitHub's built-in MergeRequest/diffing interface, the UTF code points would be seen.

[PhilipOakley]

protections against "trojan source injection"

"Unicode has support for both left-to-right and right-to-left languages, and to aid writing left-to-right words inside a right-to-left sentence (or vice versa) it also features invisible codepoints called "bidirectional override"."

This is being addressed in the upstream git source. see https://lore.kernel.org/git/pull.1071.v3.git.1636031609982.gitgitgadget@gmail.com/

[vn971]

@PhilipOakley do you/we know how exactly it is addressed? E.g. if one has warnings when they try to create new commits with unicode control characters? Or that git fetch would break? Or old repositories that already use unicode control characters would suddenly break? I think those details may matter if we're thinking about gitk-s security. Would be very curious to learn how it is in git OR gitk