OK that is pretty interesting. For the TL;DR crowd, the exploit was:
if(environmentǃ=ENV_PROD){
// bypass authZ checks in DEV
return true;
}
where the 'ǃ' is a Unicode homoglyph (U+1C3 "LATIN LETTER ALVEOLAR CLICK") which obviously completely changes the nature of the code.
I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!
The shown code is JavaScript; it wouldn't compile as C, because "environment[alveolar-click]" was never declared, and C requires declare-before-use.
Does the advice to use GCC -Werror still apply to JavaScript? (I'd guess no, but I don't know for sure if I'm missing something.)
It compiles fine as C (using gcc-15.1.1-2.fc43.x86_64). Here's the complete program that I tested before posting the comment above:
int environmentǃ;
int main()
{
if(environmentǃ=0){
// bypass authZ checks in DEV
return 0;
}
return 1;
}
The output of GCC is:
$ gcc -Wall test.c
test.c: In function ‘main’:
test.c:4:6: warning: suggest parentheses around assignment used as truth value [-Wparentheses]
4 | if(environmentǃ=0){
| ^~~~~~~~~~~~
In a real exploit you'd have to be smarter about hiding the variable declaration (maybe in a library or something).
I'll note that GCC gives a clear warning here ("suggest parentheses around assignment used as truth value"), so as always, turn on -Werror and take warnings seriously!