# Improper Handling of Unicode Encoding (CWE-176)

The product does not properly handle when an input contains Unicode encoding.

**Stack:** Python

- Prevalence: Mittel 3 Sprachen abgedeckt
- Impact: Mittel Review empfohlen
- Prevention: Dokumentiert 3 Fix-Beispiele

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

## Prevention

Präventionsstrategien für Improper Handling of Unicode basierend auf 1 Shoulder-Erkennungsregeln.

### Python

Normalize Unicode strings with NFKC before comparison or security-critical operations

## Warning Signs

- [MEDIUM] missing Unicode normalization leading to security bypasses

## Consequences

- Schutzmechanismus umgehen
- Nicht autorisierten Code ausführen

## Mitigations

- Unicode-Eingaben vor der Verarbeitung in eine kanonische Form normalisieren
- Sicherheitsprüfungen erst nach der Unicode-Normalisierung anwenden
- Verwende Vergleichsfunktionen, die Unicode korrekt behandeln

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Unicode Normalization Issues** [MEDIUM]: Detects missing Unicode normalization leading to security bypasses.
  - Remediation: Normalize Unicode strings before comparison using unicodedata.normalize().

```python
import unicodedata

def normalize_username(username):
    return unicodedata.normalize('NFKC', username).lower()

if normalize_username(input_name) == normalize_username(stored_name):
    grant_access()
```

Learn more: https://shoulder.dev/learn/python/cwe-176/unicode-normalization