Improper Handling of Unicode Encoding (CWE-176)

Improper Handling of Unicode Encoding

The product does not properly handle when an input contains Unicode encoding.

Unicode characters can have multiple encodings or representations. If an application does not properly handle Unicode, attackers may be able to bypass security filters or cause unexpected behavior using alternate encodings.

普遍性

中

覆盖 3 种语言

影响

中

建议审查

预防

已记录

3 个修复示例

2 预防

如何修复此漏洞

基于 3 条 Shoulder 检测规则的 Improper Handling of Unicode 预防策略。

🐹 Go 查看全部 Go 详情 →

Unicode Normalization Security Issues MEDIUM

Normalize strings with NFKC before security-sensitive comparisons

+6 -3 go

- func handler(w http.ResponseWriter, r *http.Request) {
-     username := r.FormValue("username")
-     if username == "admin" {
+ import "golang.org/x/text/unicode/norm"
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     username := r.FormValue("username")
+     normalized := norm.NFKC.String(strings.ToLower(username))
+     if normalized == "admin" {
          grantAdminAccess()
      }
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Unicode Normalization Security Issues MEDIUM

Normalize Unicode strings with NFKC before security-sensitive comparisons

+2 -1 javascript

  app.post('/login', (req, res) => {
-   if (req.body.username === 'admin') {
+   const username = req.body.username.normalize('NFKC').toLowerCase();
+   if (username === 'admin') {
      return res.send('Admin access');
    }
  });

🐍 Python 查看全部 Python 详情 →

Unicode Normalization Issues MEDIUM

Normalize Unicode strings with NFKC before comparison or security-critical operations

+6 -2 python

- def check_username(input_name, stored_name):
-     if input_name == stored_name:
+ import unicodedata
+ 
+ def check_username(input_name, stored_name):
+     normalized_input = unicodedata.normalize('NFKC', input_name).lower()
+     normalized_stored = unicodedata.normalize('NFKC', stored_name).lower()
+     if normalized_input == normalized_stored:
          grant_access()

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Improper Handling of Unicode Encoding模式。 3 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=176

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (3)

🐹 Go 1 rules

Unicode Normalization Security Issues MEDIUM

Security-sensitive string comparison without Unicode normalization.

🟨 Javascript 1 rules

Unicode Normalization Security Issues MEDIUM

Detects missing Unicode normalization in security-sensitive string comparisons. Unicode allows multiple representations of visually identical characters, which attackers can exploit to bypass input validation, authentication, or access control. Common attack vectors: - Homograph attacks (using lookalike characters): "аdmin" vs "admin" (Cyrillic 'а') - Case folding differences: "ß" (German sharp s) becomes "SS" when uppercased - Combining characters: "é" can be a single char or 'e' + combining a

🔷 Typescript 1 rules

Unicode Normalization Security Issues MEDIUM

🐍 Python 1 rules

Unicode Normalization Issues MEDIUM

Detects missing Unicode normalization leading to security bypasses.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Improper Handling of Unicode Encoding漏洞。在代码审查和安全审计中注意查找。

🟡

missing Unicode normalization in security-sensitive string comparisons javascript-unicode-normalization

🔍

扫描你的代码库: Improper Handling of Unicode Encoding

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则