Skip to content

Unsafe bidirectional unicode characters

Moderate
mit-mit published GHSA-8pcp-6qc9-rqmv Dec 8, 2021

Package

Core SDK (Dart)

Affected versions

<2.15.0

Patched versions

2.15.0

Description

Impact

What kind of vulnerability is it? Who is impacted?

Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors and code-review tools. Exploiting this an attacker could embed source that is invisible to a code reviewer but that modifies the behavior of a program in unexpected ways. This vulnerability impacts all projects that allow Dart source contributions.

Patches

Has the problem been patched? What versions should users upgrade to?

Dart 2.15.0 (52519ea) introduces a new analysis warning flagging bidirectional Unicode. Users should upgrade to Dart 2.15.0 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Users could grep for bidirectional Unicode text sequences or review all sources in editors that display invisible characters.

Detailed example

Consider the following Dart source code:

void main() {
  final accessLevel = 'user';

  if (accessLevel == 'user‮ ⁦// Check if admin⁩ ⁦') {
    print('You are a regular user.');
  } else {
    print('You are an admin.');
  }
}

This looks unsuspicious, and you may assume that this will print 'You are a regular user.'. However, if the code uses bidirectional Unicode characters the accessLevel check may actually be quite different from how an editor of IDE might render it. The code above uses Unicode bidirectional characters to test for a very different string, as seen in this gist:
https://gist.github.com/mit-mit/7dda00ca6278ce7d2555f78d59d9e67b?h=1

As a result, the code prints that the user is an admin:

$ dart run bin/cvetest.dart
You are an admin.

The new analysis warning introduced in Dart 2.15.0 flags this:

$ dart analyze
Analyzing cvetest...                   2.6s

   info • bin/cvetest.dart:4:27 • The Unicode code point 'U+202E' changes the appearance of text from how it's interpreted by
          the compiler. Try removing the code point or using the Unicode escape sequence '\u202E'. •
          text_direction_code_point_in_literal

References

Are there any links users can visit to find out more?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42694

For more information

See our community page to find ways to contact the team.

Severity

Moderate

CVE ID

CVE-2021-22567

Weaknesses

No CWEs