TortoiseGitMerge omits text after null byte when word wrap is enabled
The TortoiseGitMerge text editor omits any text after a null byte (
\0) up to the end of the line. This allows hiding malicious code which will not be noticed during code review.
What steps will reproduce the problem?
- Download the attached Malicious.java
It uses a null byte to include additional "evil" code. The null byte is inside a Java block comment, but a zero-width space is used to make it look like the block comment already ends earlier (before the null byte).
- Open the file with TortoiseGitMerge (e.g. by creating a new Git repository and looking at the Diff)
❌The "evil" code is not shown
- Optional: Execute the code with
java Malicious.java(requires Java >= 11)
What is the expected output? What do you see instead?
Actually shown by TortoiseGitMerge:
Expected: Text after the null byte should be shown. Ideally TortoiseGitMerge should warn the user when a text file contains any control or format character (which might be exploitable), e.g. Right-to-Left Override, but that might be out of scope.
What version of TortoiseGit and Git are you using? On what operating system?
Microsoft Windows [Version 10.0.19043.1348]
- TortoiseGit 126.96.36.199
- git version 2.34.1.windows.1
Please provide any additional information below.
GitHub seems to just omit the null byte, and for other potentially exploitable characters it shows a warning, see https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/.
GitLab seems to completely refuse to show diffs for text files containing null bytes (not sure if intentional) and shows for text direction overwrites a replacement character with warning:
(release notes entry)