Implement text_direction_codepoint lint

enthropy7 · enthropy7 · commit 32eb70985842 · 2026-01-01T01:30:41.000+03:00
Adds a lint that detects Unicode BiDi control codepoints (U+202A-U+202E, U+2066-U+2069) in manifest files to prevent Trojan Source attacks (CVE-2021-42574). Default level: deny Fixes #16373 Fixes #16374
diff --git a/src/cargo/core/workspace.rs b/src/cargo/core/workspace.rs
@@ -25,6 +25,7 @@ use crate::lints::analyze_cargo_lints_table;
 use crate::lints::rules::blanket_hint_mostly_unused;
 use crate::lints::rules::check_im_a_teapot;
 use crate::lints::rules::implicit_minimum_version_req;
+use crate::lints::rules::text_direction_codepoint;
 use crate::ops;
 use crate::sources::{CRATES_IO_INDEX, CRATES_IO_REGISTRY, PathSource, SourceConfigMap};
 use crate::util::context::{FeatureUnification, Value};
@@ -1313,6 +1314,13 @@ impl<'gctx> Workspace<'gctx> {
                 &mut run_error_count,
                 self.gctx,
             )?;
+            text_direction_codepoint(
+                pkg.into(),
+                &path,
+                &cargo_lints,
+                &mut run_error_count,
+                self.gctx,
+            )?;
 
             if run_error_count > 0 {
                 let plural = if run_error_count == 1 { "" } else { "s" };
@@ -1370,6 +1378,17 @@ impl<'gctx> Workspace<'gctx> {
                 &mut run_error_count,
                 self.gctx,
             )?;
+            // Only check for BiDi codepoints in virtual workspace manifests.
+            // For package roots, the lint is run in emit_pkg_lints.
+            if matches!(self.root_maybe(), MaybePackage::Virtual(_)) {
+                text_direction_codepoint(
+                    self.root_maybe().into(),
+                    self.root_manifest(),
+                    &cargo_lints,
+                    &mut run_error_count,
+                    self.gctx,
+                )?;
+            }
         }
 
         // This is a short term hack to allow `blanket_hint_mostly_unused`
diff --git a/src/cargo/lints/rules/mod.rs b/src/cargo/lints/rules/mod.rs
@@ -1,16 +1,19 @@
 mod blanket_hint_mostly_unused;
 mod im_a_teapot;
 mod implicit_minimum_version_req;
+mod text_direction_codepoint;
 mod unknown_lints;
 
 pub use blanket_hint_mostly_unused::blanket_hint_mostly_unused;
 pub use im_a_teapot::check_im_a_teapot;
 pub use implicit_minimum_version_req::implicit_minimum_version_req;
+pub use text_direction_codepoint::text_direction_codepoint;
 pub use unknown_lints::output_unknown_lints;
 
 pub const LINTS: &[crate::lints::Lint] = &[
     blanket_hint_mostly_unused::LINT,
     implicit_minimum_version_req::LINT,
     im_a_teapot::LINT,
+    text_direction_codepoint::LINT,
     unknown_lints::LINT,
 ];
diff --git a/src/cargo/lints/rules/text_direction_codepoint.rs b/src/cargo/lints/rules/text_direction_codepoint.rs
@@ -0,0 +1,106 @@
+use std::path::Path;
+
+use annotate_snippets::AnnotationKind;
+use annotate_snippets::Group;
+use annotate_snippets::Level;
+use annotate_snippets::Snippet;
+use cargo_util_schemas::manifest::TomlToolLints;
+
+use crate::CargoResult;
+use crate::GlobalContext;
+use crate::lints::Lint;
+use crate::lints::LintLevel;
+use crate::lints::ManifestFor;
+use crate::lints::rel_cwd_manifest_path;
+
+/// Unicode BiDi (bidirectional) control codepoints that can be used in
+/// "Trojan Source" attacks (CVE-2021-42574).
+///
+/// These codepoints change the visual representation of text on screen
+/// in a way that does not correspond to their in-memory representation.
+const UNICODE_BIDI_CODEPOINTS: &[(char, &str)] = &[
+    ('\u{202A}', "LEFT-TO-RIGHT EMBEDDING"),
+    ('\u{202B}', "RIGHT-TO-LEFT EMBEDDING"),
+    ('\u{202C}', "POP DIRECTIONAL FORMATTING"),
+    ('\u{202D}', "LEFT-TO-RIGHT OVERRIDE"),
+    ('\u{202E}', "RIGHT-TO-LEFT OVERRIDE"),
+    ('\u{2066}', "LEFT-TO-RIGHT ISOLATE"),
+    ('\u{2067}', "RIGHT-TO-LEFT ISOLATE"),
+    ('\u{2068}', "FIRST STRONG ISOLATE"),
+    ('\u{2069}', "POP DIRECTIONAL ISOLATE"),
+];
+
+pub const LINT: Lint = Lint {
+    name: "text_direction_codepoint",
+    desc: "unicode codepoint changing visible direction of text present in manifest",
+    groups: &[],
+    default_level: LintLevel::Deny,
+    edition_lint_opts: None,
+    feature_gate: None,
+    docs: None,
+};
+
+pub fn text_direction_codepoint(
+    manifest: ManifestFor<'_>,
+    manifest_path: &Path,
+    cargo_lints: &TomlToolLints,
+    error_count: &mut usize,
+    gctx: &GlobalContext,
+) -> CargoResult<()> {
+    let (lint_level, reason) = manifest.lint_level(cargo_lints, LINT);
+
+    if lint_level == LintLevel::Allow {
+        return Ok(());
+    }
+
+    let contents = manifest.contents();
+    let manifest_path_str = rel_cwd_manifest_path(manifest_path, gctx);
+
+    let findings: Vec<_> = contents
+        .char_indices()
+        .filter_map(|(idx, ch)| {
+            UNICODE_BIDI_CODEPOINTS
+                .iter()
+                .find(|(c, _)| *c == ch)
+                .map(|(_, name)| (idx, ch, *name))
+        })
+        .collect();
+
+    if findings.is_empty() {
+        return Ok(());
+    }
+
+    let level = lint_level.to_diagnostic_level();
+    let emitted_source = LINT.emitted_source(lint_level, reason);
+
+    for (i, (byte_idx, ch, name)) in findings.iter().enumerate() {
+        if lint_level.is_error() {
+            *error_count += 1;
+        }
+
+        let title = format!("{}: `\\u{{{:04X}}}` ({})", LINT.desc, *ch as u32, name);
+        let span = *byte_idx..(*byte_idx + ch.len_utf8());
+
+        let mut group = Group::with_title(level.clone().primary_title(&title)).element(
+            Snippet::source(contents)
+                .path(&manifest_path_str)
+                .annotation(
+                    AnnotationKind::Primary
+                        .span(span)
+                        .label("this invisible unicode codepoint changes text flow direction"),
+                ),
+        );
+
+        if i == 0 {
+            group = group.element(Level::NOTE.message(&emitted_source));
+        }
+        group = group.element(Level::HELP.message(
+            "if their presence wasn't intentional, you can remove them",
+        ));
+
+        gctx.shell().print_report(&[group], lint_level.force())?;
+    }
+
+    Ok(())
+}
+
diff --git a/tests/testsuite/lints/text_direction_codepoint.rs b/tests/testsuite/lints/text_direction_codepoint.rs
@@ -19,9 +19,17 @@ description = \"A \u{202E}test package\"
 
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[CHECKING] foo v0.0.1 ([ROOT]/foo)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+[ERROR] unicode codepoint changing visible direction of text present in manifest: `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test package"
+  |                  ^ this invisible unicode codepoint changes text flow direction
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 1 error while running lints
 
 "#]])
         .run();
@@ -36,6 +44,77 @@ name = \"foo\"
 version = \"0.0.1\"
 edition = \"2015\"
 description = \"A \u{202E}test\u{202D} package\"
+";
+    let p = project()
+        .file("Cargo.toml", manifest)
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("check -Zcargo-lints")
+        .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
+        .with_stderr_data(str![[r#"
+[ERROR] unicode codepoint changing visible direction of text present in manifest: `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test� package"
+  |                  ^ this invisible unicode codepoint changes text flow direction
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] unicode codepoint changing visible direction of text present in manifest: `/u{202D}` (LEFT-TO-RIGHT OVERRIDE)
+ --> Cargo.toml:6:23
+  |
+6 | description = "A �test� package"
+  |                       ^ this invisible unicode codepoint changes text flow direction
+  |
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 2 errors while running lints
+
+"#]])
+        .run();
+}
+
+#[cargo_test]
+fn allow_lint() {
+    // Test that the lint can be allowed
+    let manifest = "
+[package]
+name = \"foo\"
+version = \"0.0.1\"
+edition = \"2015\"
+description = \"A \u{202E}test package\"
+
+[lints.cargo]
+text_direction_codepoint = \"allow\"
+";
+    let p = project()
+        .file("Cargo.toml", manifest)
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("check -Zcargo-lints")
+        .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_stderr_data(str![[r#"
+[CHECKING] foo v0.0.1 ([ROOT]/foo)
+[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+
+"#]])
+        .run();
+}
+
+#[cargo_test]
+fn warn_lint() {
+    // Test that the lint can be set to warn
+    let manifest = "
+[package]
+name = \"foo\"
+version = \"0.0.1\"
+edition = \"2015\"
+description = \"A \u{202E}test package\"
+
+[lints.cargo]
+text_direction_codepoint = \"warn\"
 ";
     let p = project()
         .file("Cargo.toml", manifest)
@@ -45,6 +124,14 @@ description = \"A \u{202E}test\u{202D} package\"
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
         .with_stderr_data(str![[r#"
+[WARNING] unicode codepoint changing visible direction of text present in manifest: `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test package"
+  |                  ^ this invisible unicode codepoint changes text flow direction
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `warn` in `[lints]`
+  = [HELP] if their presence wasn't intentional, you can remove them
 [CHECKING] foo v0.0.1 ([ROOT]/foo)
 [FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
 
@@ -79,18 +166,24 @@ edition = "2015"
 }
 
 #[cargo_test]
-fn workspace_member_bidi() {
-    // Workspace with BiDi in member package
+fn workspace_inherited_allow() {
+    // Workspace-level lint configuration with member package
     let manifest = "
 [workspace]
 members = [\"foo\"]
+
+[workspace.lints.cargo]
+text_direction_codepoint = \"allow\"
 ";
     let foo_manifest = "
 [package]
 name = \"foo\"
 version = \"0.0.1\"
 edition = \"2015\"
 description = \"A \u{202E}test package\"
+
+[lints]
+workspace = true
 ";
     let p = project()
         .file("Cargo.toml", manifest)
@@ -132,9 +225,17 @@ edition = "2015"
 
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[CHECKING] foo v0.0.1 ([ROOT]/foo/foo)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+[ERROR] unicode codepoint changing visible direction of text present in manifest: `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+ --> Cargo.toml:6:14
+  |
+6 | info = "test �info"
+  |              ^ this invisible unicode codepoint changes text flow direction
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 1 error while running lints
 
 "#]])
         .run();
