Improper Handling of Unicode Encoding (CWE-176)

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

Rozpowszechnienie

Średnia

Pokryto 3 języków

Wplyw

Średni

Zalecany przegląd

Zapobieganie

Udokumentowane

3 przykładów poprawek

2 Zapobieganie

Jak naprawić tę podatność

Strategie zapobiegania dla Improper Handling of Unicode oparte na 3 regułach detekcji Shoulder.

🐹 Go Zobacz wszystko Go szczegóły →

Unicode Normalization Security Issues MEDIUM

Normalize strings with NFKC before security-sensitive comparisons

+6 -3 go

- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.FormValue("username")
-     if username == "admin" {
+ import "golang.org/x/text/unicode/norm"
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.FormValue("username")
+     normalized := norm.NFKC.String(strings.ToLower(username))
+     if normalized == "admin" {
          grantAdminAccess()
      }
  }

🟨 JavaScript Zobacz wszystko JavaScript szczegóły →

Unicode Normalization Security Issues MEDIUM

Normalize Unicode strings with NFKC before security-sensitive comparisons

+2 -1 javascript

  app.post('/login', (req, res) => {
-   if (req.body.username === 'admin') {
+   const username = req.body.username.normalize('NFKC').toLowerCase();
+   if (username === 'admin') {
      return res.send('Admin access');
    }
  });

🐍 Python Zobacz wszystko Python szczegóły →

Unicode Normalization Issues MEDIUM

Normalize Unicode strings with NFKC before comparison or security-critical operations

+6 -2 python

- def check_username(input_name, stored_name):
-     if input_name == stored_name:
+ import unicodedata
+ 
+ def check_username(input_name, stored_name):
+     normalized_input = unicodedata.normalize('NFKC', input_name).lower()
+     normalized_stored = unicodedata.normalize('NFKC', stored_name).lower()
+     if normalized_input == normalized_stored:
          grant_access()

3 Wykrywanie

Znajdz podatnosci w swoim kodzie

Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Improper Handling of Unicode Encoding. 3 reguly.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=176

# Or scan entire project
npx @shoulderdev/cli trust .

Reguly Wykrywania (3)

🐹 Go 1 rules

Unicode Normalization Security Issues MEDIUM

Security-sensitive string comparison without Unicode normalization.

🟨 Javascript 1 rules

Unicode Normalization Security Issues MEDIUM

Detects missing Unicode normalization in security-sensitive string comparisons. Unicode allows multiple representations of visually identical characters, which attackers can exploit to bypass input validation, authentication, or access control. Common attack vectors: - Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а') - Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased - Combining characters: "é" can be a single char or 'e' + combining a

🔷 Typescript 1 rules

Unicode Normalization Security Issues MEDIUM

🐍 Python 1 rules

Unicode Normalization Issues MEDIUM

Detects missing Unicode normalization leading to security bypasses.

4 Sygnaly Ostrzegawcze

Na co zwracac uwage podczas przegladu kodu

Te wzorce wskazuja na potencjalne podatnosci Improper Handling of Unicode Encoding. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.

🟡

missing Unicode normalization in security-sensitive string comparisons javascript-unicode-normalization

🔍

Przeskanuj swój kod w poszukiwaniu Improper Handling of Unicode Encoding

Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.

npx shoulder trust Przeglądaj wszystkie reguły