UCENE-10218: Extend validateSourcePatterns task to scan for LTR/RTL unicode to catch "Trojan Source" source code attacks (#425)

Co-authored-by: Dawid Weiss <dawid.weiss@carrotsearch.com> # Conflicts: # gradle/validation/validate-source-patterns.gradle
2025-02-07 10:38:40 +00:00 · 2021-11-03 17:19:24 +01:00 · 2021-11-03 17:19:24 +01:00 · 6ccee3204f
commit 6ccee3204f
parent 5fa093bdba
1 changed files with 21 additions and 30 deletions
--- a/gradle/validation/validate-source-patterns.gradle
+++ b/gradle/validation/validate-source-patterns.gradle
@ -61,8 +61,8 @@ def extensions = [
    'xsl',
 ]

-// Create source validation task local for each project's files.
-subprojects {
+// Create source validation task local to each project
+allprojects {
  task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
    group = 'Verification'
    description = 'Validate Source Patterns'
@ -78,16 +78,31 @@ subprojects {
      }

      // default excludes.
-      exclude 'build/**'
+      exclude '**/build/**'
      exclude '**/.idea/**'

-      // ignore txt files in source resources and tests.
-      exclude 'src/**/*.txt'
+      if (project == rootProject) {
+        // ourselves :-)
+        exclude 'gradle/validation/validate-source-patterns.gradle'
+
+        // gradle and idea folders.
+        exclude '.gradle/**'
+        exclude '.idea/**'
+      } else {
+        // ignore txt files in source resources and tests.
+        exclude 'src/**/*.txt'
+      }
    }
  }

  // Add source validation to per-project checks as well.
  check.dependsOn validateSourcePatterns
+
+  // Ensure validation runs prior to any compilation task. This also means
+  // no executable code can leak out to other modules.
+  tasks.withType(JavaCompile).configureEach {
+    mustRunAfter validateSourcePatterns
+  }
 }

 configure(project(':lucene:benchmark')) {
@ -98,31 +113,6 @@ configure(project(':lucene:benchmark')) {
  }
 }

-configure(rootProject) {
-  task validateSourcePatterns(type: ValidateSourcePatternsTask) { task ->
-    group = 'Verification'
-    description = 'Validate Source Patterns'
-
-    sourceFiles = fileTree(projectDir) {
-      extensions.each{
-        include "**/*.${it}"
-      }
-
-      // Don't go into child projects (scanned separately).
-      childProjects.keySet().each{
-        exclude "${it}/**"
-      }
-
-      // default excludes.
-      exclude '**/build/**'
-
-      // ourselves :-)
-      exclude 'gradle/validation/validate-source-patterns.gradle'
-    }
-  }
-
-  check.dependsOn validateSourcePatterns
-}

 class ValidateSourcePatternsTask extends DefaultTask {
  private ProgressLoggerFactory progressLoggerFactory
@ -142,6 +132,7 @@ class ValidateSourcePatternsTask extends DefaultTask {
      (~$/(?i)\bno(n|)commit\b/$) : 'nocommit',
      (~$/\bTOOD:/$) : 'TOOD instead TODO',
      (~$/\t/$) : 'tabs instead spaces',
+      (~$/[\u202A-\u202E\u2066-\u2069]/$) : 'misuse of RTL/LTR (https://trojansource.codes)',
      (~$/\Q/**\E((?:\s)|(?:\*))*\Q{@inheritDoc}\E((?:\s)|(?:\*))*\Q*/\E/$) : '{@inheritDoc} on its own is unnecessary',
      (~$/\$$(?:LastChanged)?Date\b/$) : 'svn keyword',
      (~$/\$$(?:(?:LastChanged)?Revision|Rev)\b/$) : 'svn keyword',