Discussion

Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories

minus7: The `eval` alone should be enough of a red flag

kordlessagain: No it’s not.

DropDead: Why didn't some make av rule to find stuff like this, they are just plain text files

abound: Yeah it would have been nice to end with "and here's a five-line shell script to check if your project is likely affected". But to their credit, they do have an open-source tool [1], I'm just not willing to install a big blob of JavaScript to look for vulns in my other big blobs of JavaScript[1] https://github.com/AikidoSec/safe-chain

nine_k: Something like this should work, assuming your encoding is Unicode (normally UTF-8), which grep would interpret: grep -P '[\x{200B}\x{200C}\x{200D}\x{FEFF}]' code.ts See https://stackoverflow.com/q/78129129/223424

simonreiff: OWASP disagrees: See https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Securi..., listing `eval()` first in its small list of examples of "JavaScript functions that are dangerous and should only be used where necessary or unavoidable". I'm unaware of any such uses, myself. I can't think of any scenario where I couldn't get what I wanted by using some combination of `vm`, the `Function` constructor, and a safe wrapper around `JSON.parse()` to do anything I might have considered doing unsafely with `eval()`. Yes, `eval()` is a blatant red flag and definitely should be avoided.