GHC is vulnerable for Trojan Source
A paper was published in October 2021 that describes this particular supply-chain vulnerability:
TL;DR Unicode has invisible characters for bidirectional reading and using them results in executing different code from what people see.
Consider the following simple code:
module Main where
import Control.Monad (when)
main :: IO ()
main = do
{ let isAdmin = False
; {- when isAdmin $ begin admins only -}
putStrLn "You are an admin."
}
Attached this file as well in case copy-paste eats invisible characters
If you look at the code, you can see that upon execution it shouldn't print anything. However, if you compile it with GHC 9.2.3 and run it, you'll that the string You are an admin.
is printed.
The paper authors give examples of this vulnerability for different languages but not Haskell. But, as you can see, GHC is vulnerable to this particular kind of supply-chain attack.
I strongly believe it should be fixed and the paper describes how to fix this vulnerability.