Improper Handling of Unicode Encoding (CWE-176)

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

Verbreitung

Mittel

3 Sprachen abgedeckt

Auswirkung

Mittel

Review empfohlen

Prävention

Dokumentiert

3 Fix-Beispiele

2 Prävention

So behebst du diese Schwachstelle

Präventionsstrategien für Improper Handling of Unicode basierend auf 3 Shoulder-Erkennungsregeln.

🐹 Go Alle anzeigen Go Details →

Unicode Normalization Security Issues MEDIUM

Normalize strings with NFKC before security-sensitive comparisons

+6 -3 go

- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.FormValue("username")
-     if username == "admin" {
+ import "golang.org/x/text/unicode/norm"
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.FormValue("username")
+     normalized := norm.NFKC.String(strings.ToLower(username))
+     if normalized == "admin" {
          grantAdminAccess()
      }
  }

🟨 JavaScript Alle anzeigen JavaScript Details →

Unicode Normalization Security Issues MEDIUM

Normalize Unicode strings with NFKC before security-sensitive comparisons

+2 -1 javascript

  app.post('/login', (req, res) => {
-   if (req.body.username === 'admin') {
+   const username = req.body.username.normalize('NFKC').toLowerCase();
+   if (username === 'admin') {
      return res.send('Admin access');
    }
  });

🐍 Python Alle anzeigen Python Details →

Unicode Normalization Issues MEDIUM

Normalize Unicode strings with NFKC before comparison or security-critical operations

+6 -2 python

- def check_username(input_name, stored_name):
-     if input_name == stored_name:
+ import unicodedata
+ 
+ def check_username(input_name, stored_name):
+     normalized_input = unicodedata.normalize('NFKC', input_name).lower()
+     normalized_stored = unicodedata.normalize('NFKC', stored_name).lower()
+     if normalized_input == normalized_stored:
          grant_access()

3 Erkennung

Finden Sie Schwachstellen in Ihrem Code

Verwenden Sie Shoulder, um Ihren Code nach Improper Handling of Unicode Encoding-Mustern zu scannen. 3 Regeln.

Terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=176

# Or scan entire project
npx @shoulderdev/cli trust .

Erkennungsregeln (3)

🐹 Go 1 rules

Unicode Normalization Security Issues MEDIUM

Security-sensitive string comparison without Unicode normalization.

🟨 Javascript 1 rules

Unicode Normalization Security Issues MEDIUM

Detects missing Unicode normalization in security-sensitive string comparisons. Unicode allows multiple representations of visually identical characters, which attackers can exploit to bypass input validation, authentication, or access control. Common attack vectors: - Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а') - Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased - Combining characters: "é" can be a single char or 'e' + combining a

🔷 Typescript 1 rules

Unicode Normalization Security Issues MEDIUM

🐍 Python 1 rules

Unicode Normalization Issues MEDIUM

Detects missing Unicode normalization leading to security bypasses.

4 Warnzeichen

Worauf bei Code-Reviews zu achten ist

Diese Muster weisen auf potenzielle Improper Handling of Unicode Encoding-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.

🟡

missing Unicode normalization in security-sensitive string comparisons javascript-unicode-normalization

🔍

Scanne deine Codebasis nach Improper Handling of Unicode Encoding

Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.

npx shoulder trust Alle Regeln durchsuchen