# Improper Handling of Unicode Encoding (CWE-176)

The product does not properly handle when an input contains Unicode encoding.

**Stack:** Python

- Prevalence: 中 3 言語をカバー
- Impact: ミディアム レビュー推奨
- Prevention: 文書化済み 3 件の修正例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

## Prevention

1 件の Shoulder 検出ルールに基づく Improper Handling of Unicode の予防策。

### Python

Normalize Unicode strings with NFKC before comparison or security-critical operations

## Warning Signs

- [MEDIUM] missing Unicode normalization leading to security bypasses

## Consequences

- 保護メカニズムの回避
- 未承認コードの実行

## Mitigations

- 処理前に Unicode 入力を正規形に正規化する
- Unicode 正規化の後にセキュリティチェックを適用する
- Unicode を考慮した比較関数を使用する

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Python (1 rules)

- **Unicode Normalization Issues** [MEDIUM]: Detects missing Unicode normalization leading to security bypasses.
  - Remediation: Normalize Unicode strings before comparison using unicodedata.normalize().

```python
import unicodedata

def normalize_username(username):
    return unicodedata.normalize('NFKC', username).lower()

if normalize_username(input_name) == normalize_username(stored_name):
    grant_access()
```

Learn more: https://shoulder.dev/learn/python/cwe-176/unicode-normalization