bidichk - checks for dangerous unicode character sequences

bidichk finds dangerous unicode character sequences in Go source files.

Considered dangerous unicode characters

The following unicode characters are considered dangerous:

• U+202A: LEFT-TO-RIGHT-EMBEDDING
• U+202B: RIGHT-TO-LEFT-EMBEDDING
• U+202C: POP-DIRECTIONAL-FORMATTING
• U+202D: LEFT-TO-RIGHT-OVERRIDE
• U+202E: RIGHT-TO-LEFT-OVERRIDE
• U+2066: LEFT-TO-RIGHT-ISOLATE
• U+2067: RIGHT-TO-LEFT-ISOLATE
• U+2068: FIRST-STRONG-ISOLATE
• U+2069: POP-DIRECTIONAL-ISOLATE

Installation

Download bidichk from the releases or get the latest version from source with:

go install github.com/breml/bidichk/cmd/bidichk@latest

Usage

golangci-lint

golangci-lint supports bidichk, so you can enable this linter and use it.

Shell

Check everything:

bidichk ./...

Enable only required unicode runes

If you run bidichk via golangci-lint look at .golangci.example.yml for an example of the configuration.

Otherwise you can run bidichk with --disallowed-runes flag to specify the runes you consider harmful.

E.g. the following command considers only the LEFT-TO-RIGHT-OVERRIDE unicode rune as dangerous:

bidichk --disallowed-runes LEFT-TO-RIGHT-OVERRIDE ./...

For the full list of supported unicode runes see above or use

bidichk --help

Inspiration

• 'Trojan Source' Bug Threatens the Security of All Code
• Trojan Source - Proofs-of-Concept
• Go proposal: disallow LTR/RTL characters in string literals?
• cockroachdb/cockroach - PR: lint: add linter for unicode directional formatting characters
• Russ Cox - On “Trojan Source” Attacks