gradle · JLLeitschuh · Jan 15, 2020 · Jan 13, 2020 · Jan 15, 2020 · Jan 15, 2020
diff --git a/README.md b/README.md
@@ -34,6 +34,12 @@ verify that any and all `gradle-wrapper.jar` files in the repository match the S
 
 If any are found that do not match the SHA-256 checksums of our official releases, the action will fail.
 
+Additionally, the action will find and SHA-256 hash all
+[homoglyph](https://en.wikipedia.org/wiki/Homoglyph)
+variants of files named `gradle-wrapper.jar`,
+for example a file named `gradlе-wrapper.jar` (which uses a Cyrillic `е` instead of `e`).
+The goal is to prevent homoglyph attacks which may be very difficult to spot in a GitHub diff.
+
 ## Usage
 
 Simply add this action to your workflow **after** having checked out your source tree and **before** running any Gradle build:  

diff --git a/__tests__/data/invalid/gradlе-wrapper.jar b/__tests__/data/invalid/gradlе-wrapper.jar
diff --git a/__tests__/find.test.ts b/__tests__/find.test.ts
@@ -4,7 +4,8 @@ import * as find from '../src/find'
 test('finds test data wrapper jars', async () => {
   const repoRoot = path.resolve('.')
   const wrapperJars = await find.findWrapperJars(repoRoot)
-  expect(wrapperJars.length).toBe(2)
+  expect(wrapperJars.length).toBe(3)
   expect(wrapperJars).toContain('__tests__/data/valid/gradle-wrapper.jar')
   expect(wrapperJars).toContain('__tests__/data/invalid/gradle-wrapper.jar')
+  expect(wrapperJars).toContain('__tests__/data/invalid/gradlе-wrapper.jar') // homoglyph
 })
diff --git a/__tests__/validate.test.ts b/__tests__/validate.test.ts
@@ -4,21 +4,22 @@ import * as validate from '../src/validate'
 const baseDir = path.resolve('.')
 
 test('succeeds if all found wrapper jars are valid', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 2, false, [
+  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [
     'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
   ])
 
   expect(result.isValid()).toBe(true)
 
   expect(result.toDisplayString()).toBe(
     '✓ Found known Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
   )
 })
 
 test('fails if invalid wrapper jars are found', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 2, false, [])
+  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
 
   expect(result.isValid()).toBe(false)
 
@@ -33,31 +34,37 @@ test('fails if invalid wrapper jars are found', async () => {
     new validate.WrapperJar(
       '__tests__/data/invalid/gradle-wrapper.jar',
       'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+    ),
+    new validate.WrapperJar(
+      '__tests__/data/invalid/gradlе-wrapper.jar', // homoglyph
+      'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
     )
   ])
 
   expect(result.toDisplayString()).toBe(
     '✗ Found unknown Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '✓ Found known Gradle Wrapper JAR files:\n' +
       '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
   )
 })
 
 test('fails if not enough wrapper jars are found', async () => {
-  const result = await validate.findInvalidWrapperJars(baseDir, 3, false, [])
+  const result = await validate.findInvalidWrapperJars(baseDir, 4, false, [])
 
   expect(result.isValid()).toBe(false)
 
   expect(result.errors).toEqual([
-    'Expected to find at least 3 Gradle Wrapper JARs but got only 2'
+    'Expected to find at least 4 Gradle Wrapper JARs but got only 3'
   ])
 
   expect(result.toDisplayString()).toBe(
     '✗ Found unknown Gradle Wrapper JAR files:\n' +
-      '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradle-wrapper.jar\n' +
+    '  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 __tests__/data/invalid/gradlе-wrapper.jar\n' + // homoglyph
       '✗ Other validation errors:\n' +
-      '  Expected to find at least 3 Gradle Wrapper JARs but got only 2\n' +
+      '  Expected to find at least 4 Gradle Wrapper JARs but got only 3\n' +
       '✓ Found known Gradle Wrapper JAR files:\n' +
       '  3888c76faa032ea8394b8a54e04ce2227ab1f4be64f65d450f8509fe112d38ce __tests__/data/valid/gradle-wrapper.jar'
   )

diff --git a/dist/index.js b/dist/index.js
diff --git a/jest.config.js b/jest.config.js
@@ -7,5 +7,6 @@ module.exports = {
   transform: {
     '^.+\\.ts$': 'ts-jest'
   },
-  verbose: true
+  verbose: true,
+  setupFilesAfterEnv: ['./jest.setup.js']
 }
diff --git a/jest.setup.js b/jest.setup.js
@@ -0,0 +1 @@
+jest.setTimeout(10000) // in milliseconds
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -26,7 +26,8 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.2.0",
-    "typed-rest-client": "^1.7.1"
+    "typed-rest-client": "^1.7.1",
+    "unhomoglyph": "^1.0.3"
   },
   "devDependencies": {
     "@types/jest": "^24.0.23",

diff --git a/src/declarations.d.ts b/src/declarations.d.ts
@@ -0,0 +1,4 @@
+declare module 'unhomoglyph' {
+  function unhomoglyph(input: string): string
+  export = unhomoglyph
+}
diff --git a/src/find.ts b/src/find.ts
@@ -1,13 +1,14 @@
 import * as util from 'util'
 import * as path from 'path'
 import * as fs from 'fs'
+import unhomoglyph from 'unhomoglyph'
 
 const readdir = util.promisify(fs.readdir)
 
 export async function findWrapperJars(baseDir: string): Promise<string[]> {
   const files = await recursivelyListFiles(baseDir)
   return files
-    .filter(file => file.endsWith('gradle-wrapper.jar'))
+    .filter(file => unhomoglyph(file).endsWith('gradle-wrapper.jar'))
     .map(wrapperJar => path.relative(baseDir, wrapperJar))
     .sort((a, b) => a.localeCompare(b))
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		jest.setTimeout(10000) // in milliseconds
eskatos marked this conversation as resolved. Show resolved Hide resolved