Impact
What kind of vulnerability is it? Who is impacted?
Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors and code-review tools. Exploiting this an attacker could embed source that is invisible to a code reviewer but that modifies the behavior of a program in unexpected ways. This vulnerability impacts all projects that allow Dart source contributions.
Patches
Has the problem been patched? What versions should users upgrade to?
Dart 2.15.0
(52519ea) introduces a new analysis warning flagging bidirectional Unicode. Users should upgrade to Dart 2.15.0
or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users could grep for bidirectional Unicode text sequences or review all sources in editors that display invisible characters.
Detailed example
Consider the following Dart source code:
void main() {
final accessLevel = 'user';
if (accessLevel == 'user // Check if admin ') {
print('You are a regular user.');
} else {
print('You are an admin.');
}
}
This looks unsuspicious, and you may assume that this will print 'You are a regular user.'
. However, if the code uses bidirectional Unicode characters the accessLevel
check may actually be quite different from how an editor of IDE might render it. The code above uses Unicode bidirectional characters to test for a very different string, as seen in this gist:
https://gist.github.com/mit-mit/7dda00ca6278ce7d2555f78d59d9e67b?h=1
As a result, the code prints that the user is an admin:
$ dart run bin/cvetest.dart
You are an admin.
The new analysis warning introduced in Dart 2.15.0 flags this:
$ dart analyze
Analyzing cvetest... 2.6s
info • bin/cvetest.dart:4:27 • The Unicode code point 'U+202E' changes the appearance of text from how it's interpreted by
the compiler. Try removing the code point or using the Unicode escape sequence '\u202E'. •
text_direction_code_point_in_literal
References
Are there any links users can visit to find out more?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42694
For more information
See our community page to find ways to contact the team.
Impact
What kind of vulnerability is it? Who is impacted?
Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors and code-review tools. Exploiting this an attacker could embed source that is invisible to a code reviewer but that modifies the behavior of a program in unexpected ways. This vulnerability impacts all projects that allow Dart source contributions.
Patches
Has the problem been patched? What versions should users upgrade to?
Dart
2.15.0
(52519ea) introduces a new analysis warning flagging bidirectional Unicode. Users should upgrade to Dart2.15.0
or later.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users could grep for bidirectional Unicode text sequences or review all sources in editors that display invisible characters.
Detailed example
Consider the following Dart source code:
This looks unsuspicious, and you may assume that this will print
'You are a regular user.'
. However, if the code uses bidirectional Unicode characters theaccessLevel
check may actually be quite different from how an editor of IDE might render it. The code above uses Unicode bidirectional characters to test for a very different string, as seen in this gist:https://gist.github.com/mit-mit/7dda00ca6278ce7d2555f78d59d9e67b?h=1
As a result, the code prints that the user is an admin:
The new analysis warning introduced in Dart 2.15.0 flags this:
References
Are there any links users can visit to find out more?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42694
For more information
See our community page to find ways to contact the team.