[Trojan Source Attacks] New feature: ban the use of text directionality control characters

[Lucas-C]

Is your feature request related to a problem? Please describe.
The vulnerability is detailed here: https://trojansource.codes

adversaries can attack the encoding of source code files to inject vulnerabilities
The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.

Describe the solution you'd like
Could a new check be added to bandit to detect those characters?

Describe alternatives you've considered
Using a language-agnostic linter tool detecting this vulnerability,
but I do not know any existing one so far.

Additional context

[kleph]

May be a bit less strict, as the article mention, unterminated bidirectionnal control character ?

I still haven't use those type of character, but I presume they are usefull for right to left languages. I assume banning all control chars would prevent writing comment in those languages ?

It's probably harder to implement though.

Appart from that, I think it's a great idea to implent those checks in tools, to not rely on human eye !

[Lucas-C]

It is recommended as part of the PDF white paper, section "VII. F - Defenses":

The simplest defense is to ban the use of text directionality control characters
If an application wishes to print text that requires Bidi overrides, developers can generate those characters using escape sequences rather than embedding potentially dangerous characters into source code.

[CarliJoy]

Please note #749 where I already opened an issue for the same topic.
Especially have a look at the linked ticket there that explains the issue in detail for python!

[Lucas-C]

Indeed, those issues are duplicates.
I'm closing this as it came after yours @CarliJoy