Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge pull request #6 from JLLeitschuh/feat/JLL/homoglyph_detector #6

Merged
merged 4 commits into from
Jan 15, 2020
Merged

Merge pull request #6 from JLLeitschuh/feat/JLL/homoglyph_detector #6

merged 4 commits into from
Jan 15, 2020

Conversation

JLLeitschuh
Copy link
Contributor

@JLLeitschuh JLLeitschuh commented Jan 13, 2020
edited

The added homoglyph detector was generated from this PR here (has updated unicode confusables):

codebox/homoglyph#7

This PR now uses the unhomoglyph project:
https://www.npmjs.com/package/unhomoglyph

This allows us to use a kind of fuzzy search to find all instances of the gradle-wrapper.jar that may also contain a homoglyph attack.

eskatos
eskatos requested changes Jan 14, 2020
View reviewed changes
Copy link
Member

@eskatos eskatos left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's nice to detect homoglyph attacks, but such attacks would already be very visible in git diffs so I don't see any urgency in adding such a feature to this action.

So, let's not inline the homoglyph library and instead use a dependency once your upstream PR is accepted.

There are also some conflicts to be resolved.

@JLLeitschuh
Replace homoglyphs.ts with unhomoglyph library
e4429f2
@JLLeitschuh
Merge branch 'master' into feat/JLL/homoglyph_detector
9f4cacc 
* master:
  Add :
  Build
  Rework output
  Let finding wrapper jars be predictable
  Ignore IDEA files
@eskatos eskatos self-requested a review January 15, 2020 17:11
@eskatos eskatos added the enhancement New feature or request label Jan 15, 2020
eskatos
eskatos approved these changes Jan 15, 2020
View reviewed changes
Copy link
Member

@eskatos eskatos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@JLLeitschuh JLLeitschuh changed the title Add a homoglyph detector for gradle-wrapper.jar files Merge pull request #6 from JLLeitschuh/feat/JLL/homoglyph_detector Jan 15, 2020
@JLLeitschuh JLLeitschuh merged commit ffa49e0 into gradle:master Jan 15, 2020
@JLLeitschuh JLLeitschuh deleted the feat/JLL/homoglyph_detector branch January 15, 2020 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eskatos eskatos eskatos approved these changes

Assignees

@JLLeitschuh JLLeitschuh

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@JLLeitschuh @eskatos