Skip to content

Commit e1638f2

Browse files
claudeclaude
committed
Use has.sh, &>/dev/null, safe examples, extract Python to separate file
- Use 'has' from has.sh instead of 'command -v'. - Use &>/dev/null instead of >/dev/null 2>&1. - Replace offensive/risky test examples (rm -rf, root escalation) with safe alternatives (GOOD/BADX overwrite, harmless error messages). - Move inline Python for long-line generation to separate script usr/libexec/helper-scripts/write-long-line-with-unicode. https://claude.ai/code/session_01726gqqGv3oaDV5jLbM6E6h
1 parent d34fa86 commit e1638f2

File tree

2 files changed

+48
-18
lines changed

2 files changed

+48
-18
lines changed

tests/test_grep_find_unicode_wrapper

Lines changed: 20 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ skip_count=0
2525

2626
source /usr/libexec/helper-scripts/get_colors.sh
2727
source /usr/libexec/helper-scripts/safe-rm-maybe.bsh
28+
source /usr/libexec/helper-scripts/has.sh
2829

2930
cleanup() {
3031
if [ -n "$test_dir" ] && [ -d "$test_dir" ]; then
@@ -38,13 +39,14 @@ test_dir="$(mktemp --directory)"
3839
## grep-find-unicode-wrapper is similar to grep.
3940
## - Exit code 0: if found.
4041
## - Non-zero exit code: if not found.
41-
command -v grep-find-unicode-wrapper >/dev/null
42+
has grep-find-unicode-wrapper
43+
has write-long-line-with-unicode
4244

4345
expect_detected() {
4446
local description="$1"
4547
local file_name="$2"
4648

47-
if grep-find-unicode-wrapper "$file_name" >/dev/null 2>&1 ; then
49+
if grep-find-unicode-wrapper "$file_name" &>/dev/null ; then
4850
printf "%s\n" "${green}PASS${nocolor}: Detected: $description"
4951
pass_count=$(( pass_count + 1 ))
5052
else
@@ -57,7 +59,7 @@ expect_clean() {
5759
local description="$1"
5860
local file_name="$2"
5961

60-
if ! grep-find-unicode-wrapper "$file_name" >/dev/null 2>&1 ; then
62+
if ! grep-find-unicode-wrapper "$file_name" &>/dev/null ; then
6163
printf "%s\n" "${green}PASS${nocolor}: Clean: $description"
6264
pass_count=$(( pass_count + 1 ))
6365
else
@@ -70,15 +72,15 @@ write_file() {
7072
local name="$1"
7173
local content="$2"
7274
local file_name="$test_dir/$name"
73-
printf '%s' "$content" | tee -- "$file_name" >/dev/null
75+
printf '%s' "$content" | tee -- "$file_name" &>/dev/null
7476
printf '%s' "$file_name"
7577
}
7678

7779
write_file_binary() {
7880
local name="$1"
7981
shift
8082
local file_name="$test_dir/$name"
81-
printf "$@" | tee -- "$file_name" >/dev/null
83+
printf "$@" | tee -- "$file_name" &>/dev/null
8284
printf '%s' "$file_name"
8385
}
8486

@@ -121,7 +123,7 @@ old_check3_pattern=$'[\u061C\u200E\u200F\u202A\u202B\u202C\u202D\u202E\u2066\u20
121123
check3_false_positive_test() {
122124
local description="$1"
123125
local file_name="$2"
124-
if LC_ALL=C grep --files-with-matches --line-number --binary-files=text "$old_check3_pattern" "$file_name" >/dev/null 2>&1; then
126+
if LC_ALL=C grep --files-with-matches --line-number --binary-files=text "$old_check3_pattern" "$file_name" &>/dev/null; then
125127
if [ "$check3_locale_ok" = "true" ]; then
126128
## UTF-8 locale: old pattern should work, so this is a real failure.
127129
printf '%s\n' "${red}FAIL${nocolor}: Old check 3 false positive: $description" >&2
@@ -427,20 +429,23 @@ f="$(write_file_binary "hidden_in_comment.txt" '# This is a normal comment\xE2\x
427429
expect_detected "Zero-width space hidden in comment" "$f"
428430

429431
## LTR mark (E2 80 8E) hidden in a string literal.
430-
f="$(write_file_binary "hidden_in_string.txt" 'var x = "hello\xE2\x80\x8Eworld";')"
432+
f="$(write_file_binary "hidden_in_string.txt" 'x = "hello\xE2\x80\x8Eworld"')"
431433
expect_detected "LTR mark hidden in string literal" "$f"
432434

433435
## Trojan Source BiDi attack pattern.
434-
f="$(write_file_binary "trojan_source_example.txt" 'access_level = "user\xE2\x80\xAA\xE2\x81\xA6\xE2\x81\xA9\xE2\x81\xA6admin\xE2\x81\xA9\xE2\x80\xAC"')"
436+
## Embeds BiDi overrides around the word "test" to demonstrate detection.
437+
f="$(write_file_binary "trojan_source_example.txt" 'access_level = "user\xE2\x80\xAA\xE2\x81\xA6\xE2\x81\xA9\xE2\x81\xA6test\xE2\x81\xA9\xE2\x80\xAC"')"
435438
expect_detected "Trojan Source BiDi attack pattern" "$f"
436439

437-
## Backspace (\x08) overwrite attack.
438-
f="$(write_file_binary "backspace_overwrite.txt" 'user\x08\x08\x08\x08root')"
439-
expect_detected "Backspace overwrite (displays 'root' over 'user')" "$f"
440+
## Backspace (\x08) overwrite: text followed by backspaces then replacement.
441+
## Would display "BADX" overwriting "GOOD" on a terminal.
442+
f="$(write_file_binary "backspace_overwrite.txt" 'GOOD\x08\x08\x08\x08BADX')"
443+
expect_detected "Backspace overwrite (GOOD overwritten by BADX)" "$f"
440444

441-
## Carriage return (\x0D) overwrite attack.
442-
f="$(write_file_binary "cr_overwrite.txt" 'safe command\x0Drm -rf /')"
443-
expect_detected "CR overwrite (hides malicious command)" "$f"
445+
## Carriage return (\x0D) overwrite: second text replaces first on display.
446+
## Would display "ERROR: You should not see this" on a terminal.
447+
f="$(write_file_binary "cr_overwrite.txt" 'This line looks safe\x0DERROR: You should not see this')"
448+
expect_detected "CR overwrite (hides text behind carriage return)" "$f"
444449

445450
## ===================================================================
446451
## Section 10: Mixed content edge cases
@@ -461,10 +466,7 @@ f="$(write_file_binary "leading_null.txt" '\x00normal text')"
461466
expect_detected "NULL byte at start of file" "$f"
462467

463468
## Very long line with suspicious char in the middle (ZWSP = E2 80 8B).
464-
python3 -c "
465-
import sys
466-
sys.stdout.buffer.write(b'a' * 10000 + b'\xe2\x80\x8b' + b'b' * 10000)
467-
" | tee -- "$test_dir/long_line.txt" >/dev/null
469+
write-long-line-with-unicode "$test_dir/long_line.txt"
468470
expect_detected "Suspicious char buried in 20000-char line" "$test_dir/long_line.txt"
469471

470472
## ===================================================================

usr/libexec/helper-scripts/write-long-line-with-unicode

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
#!/usr/bin/python3 -su
2+
3+
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
4+
## See the file COPYING for copying conditions.
5+
6+
"""
7+
Writes a long line with a suspicious Unicode character (ZWSP, U+200B)
8+
buried in the middle. Used by test_grep_find_unicode_wrapper to test
9+
detection in large files.
10+
11+
Usage: write-long-line-with-unicode <output-file>
12+
"""
13+
14+
import sys
15+
16+
def main():
17+
if len(sys.argv) != 2:
18+
sys.stderr.write("Usage: write-long-line-with-unicode <output-file>\n")
19+
return 1
20+
output_path = sys.argv[1]
21+
## 10000 'a' bytes + ZWSP (E2 80 8B) + 10000 'b' bytes
22+
data = b'a' * 10000 + b'\xe2\x80\x8b' + b'b' * 10000
23+
with open(output_path, 'wb') as output_file:
24+
output_file.write(data)
25+
return 0
26+
27+
if __name__ == "__main__":
28+
sys.exit(main())

0 commit comments

Comments
 (0)