Mitigating Trojan Source Attacks with Security for Bitbucket

Don't Be the Next Headline.
Download the free ebook and see proven strategies to prevent a data breach from real-world examples.
Graphic of the scanning app

The Trojan Source Attack, tracked as CVE-2021–42574, and disclosed on Nov 1, 2021, works by using invisible unicode characters used to control interpretation of text as left-to-right or right-to-left to craft malicious source code which appears to function in one way, but is compiled in another. Code which seems to be valid could be commented out.

   Figures 3 and 4 from “Trojan Source: Invisible Vulnerabilities” by Nicholas Boucher and Ross Anderson

Atlassian has updated Bitbucket to highlight these characters in pull requests and source code view to make it more obvious when one of these characters has been inserted into your source code: Multiple Products Security Advisory — Unrendered unicode bidirectional override characters — CVE-2021–42574.

   Bitbucket’s mitigation for Trojan Source attacks highlights the hidden characters for reviewers.

But what if you want to prevent these characters from being committed, or automatically audit your Bitbucket instance for this attack? Security for Bitbucket by Soteri offers a built-in rule to find and block these potential attacks.

For more information on the vulnerability, you can visit Trojan Source Attacks and read the paper.