<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">On Oct 3, 2017, at 9:43 AM, Félix Cloutier <<a href="mailto:felixcloutier@icloud.com" class="">felixcloutier@icloud.com</a>> wrote:<br class=""><div><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="">I don’t think this is something we have to try hard to avoid. It is true that some characters look similar, particularly in some fonts, but this isn’t new:<br class=""><br class=""> let a1 = 42<br class=""> let al = 12<br class=""> let b = al + a1 <br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">There is a fundamental difference between similar characters and characters that are meant to be visually identical. People judge the quality of a font by its Unicode support, and that means that only "low-quality" fonts would render, say, LATIN CAPITAL LETTER T and GREEK CAPITAL LETTER TAU differently.</div></div></div></div></blockquote><div><br class=""></div><div>As Dave DeLong mentions downthread, it really isn’t different. Different codepoints can look similar in some fonts and different in other fonts. That is reality for a broad range of codepoints. </div><div><br class=""></div><div>All I’m saying is that it isn’t a priority (to me) to “solve” this problem.</div><br class=""><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""><blockquote type="cite" class=""><div class=""><div class="">If there were real code that was maliciously shadowing to try to cause confusion, then you have a more serious problem on your hands than someone accidentally misunderstanding which one to use.<br class=""></div></div></blockquote><div class=""><br class=""></div>I'm not sure I understand. If the "more serious problem" you're talking about is that your popular project is a valuable target to subvert, then there is no question that being backdoored would be more serious than people not reading your code right. I don't see how it pushes the problem out of scope, though.<br class=""><div class=""><br class=""></div><div class="">As a security guy, I take my role of thinking about how anything can be abused very seriously. Backdoored open source projects turn up every now and then.</div><div class=""><br class=""></div><div class="">This code is backdoored. I challenge you to spot the bug:</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(253, 246, 227);" class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);" class=""><span style="color: #859901" class="">func</span> shellEscape(<span style="color: #859901" class="">_</span> args: [<span style="color: #b58901" class="">String</span>]) -> [<span style="color: #b58901" class="">String</span>]?</div><div style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);" class=""><span style="color: #859901" class="">func</span> isWhitelisted(<span style="color: #859901" class="">_</span> tool: <span style="color: #b58901" class="">String</span>) -> <span style="color: #b58901" class="">Bool</span></div><div style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; font-stretch: normal; line-height: normal; color: rgb(101, 123, 131);" class=""><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""><span style="color: #859901" class="">func</span> execute(externalTool: <span style="color: #b58901" class="">String</span>, parameters: [<span style="color: #b58901" class="">String</span>]) {</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""> <span style="color: #859901" class="">if</span> <span style="color: #6c71c4" class="">isWhitelisted</span>(externalTool), <span style="color: #859901" class="">let</span> pаrameters = <span style="color: #6c71c4" class="">shellEscape</span>(parameters) {</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""> print(<span style="color: #2aa198" class="">"Running tool </span>\<span style="color: #2aa198" class="">(</span>pаrameters[<span style="color: #2aa198" class="">0</span>]<span style="color: #2aa198" class="">)"</span>)<span style="color: #2aa198" class="">"</span></div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""> system(parameters.joined(separator: <span style="color: #2aa198" class="">" "</span>))</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class=""> }</div><div style="margin: 0px; font-stretch: normal; line-height: normal;" class="">}</div></div></div></div></div></div></div></blockquote><div><br class=""></div><blockquote type="cite" class=""><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="">All I’m saying is that we shouldn’t complicate the design to solve this problem (IMO). If it falls out of the solution somehow (e.g. just disallow invisible characters) then that’s great of course!<br class=""></div></div></blockquote><div class=""><br class=""></div><div class="">How did you identify the bug in the snippet from above? Is it practical enough that you would, for instance, recommend that the server group do that test on every PR that they receive going forward?</div><div class=""><br class=""></div><div class="">I think that it's hard to build something meaningful without making it look suspicious. It's already kind of fishy that my shellEscape function returns an Optional, and people will eventually figure out that the parameters are not, in fact, shell-escaped. Still, I feel that it should be recognized that security is more than buffer overflows and integer overflows, and if there ever is an underhanded Swift code contest, that'll be my entry.</div></div></div></div></blockquote></div><br class=""><div class=""><div>I don’t see the bug, but I assume you’re doing something evil with “parameters" not getting shell escaped. </div><div><br class=""></div><div>Seriously, I get the issue you’re trying to draw attention to, and I respect the fact that good security folks are paranoid :-). That doesn’t make “fixing this” a high priority in itself though. We have to weight the cost and benefit of solving this. If “solving” this problem makes swift substantially more complex, difficult to specify, or difficult to maintain, or if it prevents this proposal from going through, then MHO is that this is not worth fixing.</div><div><br class=""></div><div>The rationale is that if you have evil actors trying to subvert your code, there are a lot easier ways to do so than through this mechanism. Additionally, if you are someone who cares so much, it is trivial to define additional checker tools outside of the compiler to check for such things - just as some people enforce house style rules (like no use of “x!”) in external tools. All problems do not have to be solved through language design.</div><div><br class=""></div><div>-Chris</div><div class=""><br class=""></div><blockquote type="cite" class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space;"><div class=""></div></div></blockquote></div></body></html>