Unicode tricks in pull requests: Do review tools warn us?
Unicode tricks in pull requests: Do review tools warn us?
In this blog post I take a look at how well GitHub, GitLab and Bitbucket support reviewers in finding malicious code changes in pull requests.
You're viewing a single thread.
Homoglyphs? Invisible text? Bidirectional text? Just highlight every line that goes beyond ASCII with yellow warning colors and require to vet it. Maybe make localization data an exception.
This doesn't work for code bases written in non-English languages. Especially east asian languages.
Any line containing an identifier that is also a word would be highlighted.
More and more programming languages are supporting unicode identifiers for this use case.
So it won't work for 0.0001% of all github projects.
I'd suggest to have the occasional look at the "most popular repos" ranking. It's about 50% Chinese.
Super-interesting sometimes as it shows completely different tech trends.
I know right.
It's wild that an American company primarily doing business in the West would have a bias towards English.
Yeah, just don't. Allowing to code in anything other than English is a disservice, plain and simple.
Inb4, I'm not being US-centric, Latin ain't even my native alphabet.
If locale=x, then ! mark [a-zA-Z0-9:;><#=_-"]
Very simple solution actually. Here I was thinking we'd need AI to solve it.
People would call that solution AI these days. If it has at least one if statement then they call it AI
We say we have AI to get VC funding
Or the non-ascii character itself.
Doesn't work if it's invisible.
what about a box around it?