|
| 1 | +#!/bin/bash |
| 2 | + |
| 3 | +## Copyright (C) 2026 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org> |
| 4 | +## See the file COPYING for copying conditions. |
| 5 | + |
| 6 | +set -o errexit |
| 7 | +set -o nounset |
| 8 | +set -o errtrace |
| 9 | +set -o pipefail |
| 10 | + |
| 11 | +# shellcheck source=../libexec/helper-scripts/log_run_die.sh |
| 12 | +source /usr/libexec/helper-scripts/log_run_die.sh |
| 13 | + |
| 14 | +check_ref_commits_for_unicode() { |
| 15 | + local target_ref commit_list commit commit_diff unicode_report \ |
| 16 | + unicode_show_exit_code found_malicious_unicode |
| 17 | + |
| 18 | + target_ref="${1:-}" |
| 19 | + if [ -z "${target_ref}" ]; then |
| 20 | + die 1 'No target ref specified!' |
| 21 | + fi |
| 22 | + |
| 23 | + if ! [ "$(git rev-parse --is-inside-work-tree 2>/dev/null)" = 'true' ]; then |
| 24 | + die 1 'Current working directory is not inside a Git working tree!' |
| 25 | + fi |
| 26 | + |
| 27 | + if ! git rev-parse --verify "${target_ref}" >/dev/null 2>/dev/null; then |
| 28 | + die 1 'Target ref does not exist!' |
| 29 | + fi |
| 30 | + |
| 31 | + readarray -t commit_list < <(git log --format=%H "HEAD..${target_ref}") |
| 32 | + if [ -z "${commit_list[0]:-}" ]; then |
| 33 | + die 1 'No new commits in target ref!' |
| 34 | + fi |
| 35 | + |
| 36 | + found_malicious_unicode='false' |
| 37 | + for commit in "${commit_list[@]}"; do |
| 38 | + ## --no-ext-diff prevents use of external diff drivers. |
| 39 | + ## |
| 40 | + ## --unified=0 prevents false positives from unicode-show resulting from |
| 41 | + ## unmodified empty lines showing up in the diff as one (or in the case of |
| 42 | + ## merge commits sometimes two) spaces. |
| 43 | + ## |
| 44 | + ## --no-textconv prevents text conversion filters from running. |
| 45 | + ## |
| 46 | + ## The commit message is intentionally included since it could contain |
| 47 | + ## malicious unicode too. |
| 48 | + commit_diff="$(git show \ |
| 49 | + --no-ext-diff \ |
| 50 | + --unified=0 \ |
| 51 | + --no-textconv \ |
| 52 | + --format=$'Author: %an\nAuthor email: %ae\nCommitter: %cn\nCommitter email: %ce\n%B' \ |
| 53 | + "${commit}")" |
| 54 | + unicode_show_exit_code='0' |
| 55 | + unicode_report="$(unicode-show <<< "${commit_diff}" 2>&1)" \ |
| 56 | + || unicode_show_exit_code="$?" |
| 57 | + |
| 58 | + if [ -n "${unicode_report}" ] \ |
| 59 | + || [ "${unicode_show_exit_code}" != '0' ]; then |
| 60 | + log warn "Potentially malicious unicode detected in commit '${commit}'! Details:" |
| 61 | + printf '%s\n' "${unicode_report:-'No stdout or stderr from unicode-show!'}" |
| 62 | + found_malicious_unicode='true' |
| 63 | + else |
| 64 | + log notice "No potentially malicious unicode detected in commit '${commit}'." |
| 65 | + fi |
| 66 | + done |
| 67 | + |
| 68 | + if [ "${found_malicious_unicode}" = 'true' ]; then |
| 69 | + die 1 'Potentially malicious unicode detected!' |
| 70 | + fi |
| 71 | + log notice 'No potentially malicious unicode detected.' |
| 72 | +} |
| 73 | + |
| 74 | +check_ref_commits_for_unicode "$@" |
0 commit comments