Node.js project review of CVE-2021-42574 and CVE-2021-42694

[midawson]

You may have read the announcement today about the potential for supply chain attacks using characters within source files that are not visible to human code reviewers: https://www.trojansource.codes/.

The ECMAScript specification requires support for these characters (see section 12.1 at https://tc39.es/ecma262/#sec-unicode-format-control-characters). Node.js or any ECMAScript-compliant engine must allow these characters, which have valid uses in source code.

Due diligence including code scans (for example for licenses) should already be part of your processes both for the code you write and dependencies that you use within your application. The script provided by Red Hat https://access.redhat.com/sites/default/files/find_unicode_control2--2021-11-01-1136.zip is a good way to scan and identify files that you may want to review with respect to usage of the special characters identified.

For some statically compiled languages, it may make sense to incorporate a check into the compiler instead of using an external script. However, for dynamic languages such as JavaScript, there are potential issues with that approach. These include:

• Finding out too late that there is usage of these characters. Dynamic languages may load a source file in the middle of their execution. At this point the application is already deployed and you don't necessarily want to block it from running and non-blocking warnings may not be noticed. It is more effective to scan all files that make up the application before it is run.
• The runtime overhead of the scan will be incurred unnecessarily every time the application is run. It is better to scan as part of your development/build/release processes as it will not add any additional runtime overhead once the application is deployed.

At this time, we do not plan to provide an option to scan at runtime. We recommend that external scripts/processes be used instead

[midawson]

For those who asked for more details about the script referenced, it is now also available in GitHub - https://github.com/siddhesh/find-unicode-control