>> That said, nothing on my buildchain actually throws an error or warning.
use hooks for CI on pre-commit / merge and pull requests e.g. like this pre-commit which would catch bi-directional trojan sources:
#!/usr/bin/env python3
import sys
import subprocess
bidi_chars = '\u202A\u202B\u202D\u202E\u2066\u2067\u2068\u202C\u2069'
for line in sys.stdin:
old, new, ref = line.split()
diff = subprocess.run(['git', 'diff', old, new],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
text=True)
if diff.returncode != 0:
print(diff.stdout)
sys.exit(f'git diff ended with rc={diff.returncode}, receive TERMINATED')
if any(c in diff.stdout for c in bidi_chars):
print(diff.stdout)
sys.exit('Possible Trojan Source Attack, receive REFUSED')
I wish github/gitlab would provide such features available out of the box which also follow best practice, so people can stop pasting them from the web or reinvent our own version in every team ...
use hooks for CI on pre-commit / merge and pull requests e.g. like this pre-commit which would catch bi-directional trojan sources:
I wish github/gitlab would provide such features available out of the box which also follow best practice, so people can stop pasting them from the web or reinvent our own version in every team ...