Implement text_direction_codepoint lint

enthropy7 · enthropy7 · commit b20cc7000eb0 · 2026-01-02T06:06:52.000+03:00
Detects Unicode BiDi control codepoints in Cargo.toml files to
mitigate Trojan Source attacks (CVE-2021-42574).

Features:
- Detects 9 Unicode BiDi control codepoints
- Groups multiple codepoints on same line into single error (like rustc)
- Moves workspace check into lint function for cleaner architecture
- Uses rustc-style diagnostics with codepoint info in label annotation
- Includes explanatory note about BiDi codepoint risks
- Deny-by-default lint level
diff --git a/src/cargo/core/workspace.rs b/src/cargo/core/workspace.rs
@@ -25,6 +25,7 @@ use crate::lints::analyze_cargo_lints_table;
 use crate::lints::rules::blanket_hint_mostly_unused;
 use crate::lints::rules::check_im_a_teapot;
 use crate::lints::rules::implicit_minimum_version_req;
+use crate::lints::rules::text_direction_codepoint;
 use crate::ops;
 use crate::sources::{CRATES_IO_INDEX, CRATES_IO_REGISTRY, PathSource, SourceConfigMap};
 use crate::util::context::{FeatureUnification, Value};
@@ -1313,6 +1314,13 @@ impl<'gctx> Workspace<'gctx> {
                 &mut run_error_count,
                 self.gctx,
             )?;
+            text_direction_codepoint(
+                pkg.into(),
+                &path,
+                &cargo_lints,
+                &mut run_error_count,
+                self.gctx,
+            )?;
 
             if run_error_count > 0 {
                 let plural = if run_error_count == 1 { "" } else { "s" };
@@ -1370,6 +1378,13 @@ impl<'gctx> Workspace<'gctx> {
                 &mut run_error_count,
                 self.gctx,
             )?;
+            text_direction_codepoint(
+                self.root_maybe().into(),
+                self.root_manifest(),
+                &cargo_lints,
+                &mut run_error_count,
+                self.gctx,
+            )?;
         }
 
         // This is a short term hack to allow `blanket_hint_mostly_unused`
diff --git a/src/cargo/lints/rules/mod.rs b/src/cargo/lints/rules/mod.rs
@@ -1,16 +1,19 @@
 mod blanket_hint_mostly_unused;
 mod im_a_teapot;
 mod implicit_minimum_version_req;
+mod text_direction_codepoint;
 mod unknown_lints;
 
 pub use blanket_hint_mostly_unused::blanket_hint_mostly_unused;
 pub use im_a_teapot::check_im_a_teapot;
 pub use implicit_minimum_version_req::implicit_minimum_version_req;
+pub use text_direction_codepoint::text_direction_codepoint;
 pub use unknown_lints::output_unknown_lints;
 
 pub const LINTS: &[crate::lints::Lint] = &[
     blanket_hint_mostly_unused::LINT,
     implicit_minimum_version_req::LINT,
     im_a_teapot::LINT,
+    text_direction_codepoint::LINT,
     unknown_lints::LINT,
 ];
diff --git a/src/cargo/lints/rules/text_direction_codepoint.rs b/src/cargo/lints/rules/text_direction_codepoint.rs
@@ -0,0 +1,140 @@
+use std::path::Path;
+
+use annotate_snippets::AnnotationKind;
+use annotate_snippets::Group;
+use annotate_snippets::Level;
+use annotate_snippets::Snippet;
+use cargo_util_schemas::manifest::TomlToolLints;
+
+use crate::CargoResult;
+use crate::GlobalContext;
+use crate::core::MaybePackage;
+use crate::lints::Lint;
+use crate::lints::LintLevel;
+use crate::lints::ManifestFor;
+use crate::lints::rel_cwd_manifest_path;
+
+/// Unicode BiDi (bidirectional) control codepoints that can be used in
+/// "Trojan Source" attacks (CVE-2021-42574).
+///
+/// These codepoints change the visual representation of text on screen
+/// in a way that does not correspond to their in-memory representation.
+const UNICODE_BIDI_CODEPOINTS: &[(char, &str)] = &[
+    ('\u{202A}', "LEFT-TO-RIGHT EMBEDDING"),
+    ('\u{202B}', "RIGHT-TO-LEFT EMBEDDING"),
+    ('\u{202C}', "POP DIRECTIONAL FORMATTING"),
+    ('\u{202D}', "LEFT-TO-RIGHT OVERRIDE"),
+    ('\u{202E}', "RIGHT-TO-LEFT OVERRIDE"),
+    ('\u{2066}', "LEFT-TO-RIGHT ISOLATE"),
+    ('\u{2067}', "RIGHT-TO-LEFT ISOLATE"),
+    ('\u{2068}', "FIRST STRONG ISOLATE"),
+    ('\u{2069}', "POP DIRECTIONAL ISOLATE"),
+];
+
+pub const LINT: Lint = Lint {
+    name: "text_direction_codepoint",
+    desc: "unicode codepoint changing visible direction of text present in manifest",
+    groups: &[],
+    default_level: LintLevel::Deny,
+    edition_lint_opts: None,
+    feature_gate: None,
+    docs: None,
+};
+
+pub fn text_direction_codepoint(
+    manifest: ManifestFor<'_>,
+    manifest_path: &Path,
+    cargo_lints: &TomlToolLints,
+    error_count: &mut usize,
+    gctx: &GlobalContext,
+) -> CargoResult<()> {
+    let (lint_level, reason) = manifest.lint_level(cargo_lints, LINT);
+
+    if lint_level == LintLevel::Allow {
+        return Ok(());
+    }
+
+    // Skip non-virtual workspace manifests - they are already checked as Package via emit_pkg_lints
+    if matches!(&manifest, ManifestFor::Workspace(MaybePackage::Package(_))) {
+        return Ok(());
+    }
+
+    let contents = manifest.contents();
+    let manifest_path_str = rel_cwd_manifest_path(manifest_path, gctx);
+
+    let findings: Vec<_> = contents
+        .char_indices()
+        .filter_map(|(idx, ch)| {
+            UNICODE_BIDI_CODEPOINTS
+                .iter()
+                .find(|(c, _)| *c == ch)
+                .map(|(_, name)| (idx, ch, *name))
+        })
+        .collect();
+
+    if findings.is_empty() {
+        return Ok(());
+    }
+
+    // Build line number map
+    let mut line_map = Vec::new();
+    line_map.push(0);
+    for (idx, ch) in contents.char_indices() {
+        if ch == '\n' {
+            line_map.push(idx + 1);
+        }
+    }
+
+    let mut findings_by_line: std::collections::BTreeMap<usize, Vec<_>> =
+        std::collections::BTreeMap::new();
+    for (byte_idx, ch, name) in findings {
+        let line_num = line_map
+            .iter()
+            .rposition(|&line_start| line_start <= byte_idx)
+            .map(|i| i + 1)
+            .unwrap_or(1);
+        findings_by_line
+            .entry(line_num)
+            .or_insert_with(Vec::new)
+            .push((byte_idx, ch, name));
+    }
+
+    let level = lint_level.to_diagnostic_level();
+    let emitted_source = LINT.emitted_source(lint_level, reason);
+
+    for (line_idx, line_findings) in findings_by_line.values().enumerate() {
+        if lint_level.is_error() {
+            *error_count += 1;
+        }
+
+        let title = LINT.desc.to_string();
+
+        // Build snippet with multiple annotations
+        let labels: Vec<String> = line_findings
+            .iter()
+            .map(|(_, ch, name)| format!(r#"`\u{{{:04X}}}` ({})"#, *ch as u32, name))
+            .collect();
+
+        let mut snippet = Snippet::source(contents).path(&manifest_path_str);
+        for ((byte_idx, ch, _), label) in line_findings.iter().zip(labels.iter()) {
+            let span = *byte_idx..(*byte_idx + ch.len_utf8());
+            snippet = snippet.annotation(AnnotationKind::Primary.span(span).label(label));
+        }
+
+        let mut group = Group::with_title(level.clone().primary_title(&title)).element(snippet);
+
+        if line_idx == 0 {
+            group = group.element(Level::NOTE.message(&emitted_source));
+            group = group.element(Level::NOTE.message(
+                "these kinds of unicode codepoints change the way text flows in applications/editors that support them, but can cause confusion because they change the order of characters on the screen",
+            ));
+        }
+        group = group.element(
+            Level::HELP.message("if their presence wasn't intentional, you can remove them"),
+        );
+
+        gctx.shell().print_report(&[group], lint_level.force())?;
+    }
+
+    Ok(())
+}
diff --git a/tests/testsuite/lints/text_direction_codepoint.rs b/tests/testsuite/lints/text_direction_codepoint.rs
@@ -19,9 +19,18 @@ description = \"A \u{202E}test package\"
 
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[CHECKING] foo v0.0.1 ([ROOT]/foo)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+[ERROR] unicode codepoint changing visible direction of text present in manifest
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test package"
+  |                  ^ `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [NOTE] these kinds of unicode codepoints change the way text flows in applications/editors that support them, but can cause confusion because they change the order of characters on the screen
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 1 error while running lints
 
 "#]])
         .run();
@@ -36,6 +45,73 @@ name = \"foo\"
 version = \"0.0.1\"
 edition = \"2015\"
 description = \"A \u{202E}test\u{202D} package\"
+";
+    let p = project()
+        .file("Cargo.toml", manifest)
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("check -Zcargo-lints")
+        .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
+        .with_stderr_data(str![[r#"
+[ERROR] unicode codepoint changing visible direction of text present in manifest
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test� package"
+  |                  ^    ^ `/u{202D}` (LEFT-TO-RIGHT OVERRIDE)
+  |                  |
+  |                  `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [NOTE] these kinds of unicode codepoints change the way text flows in applications/editors that support them, but can cause confusion because they change the order of characters on the screen
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 1 error while running lints
+
+"#]])
+        .run();
+}
+
+#[cargo_test]
+fn allow_lint() {
+    // Test that the lint can be allowed
+    let manifest = "
+[package]
+name = \"foo\"
+version = \"0.0.1\"
+edition = \"2015\"
+description = \"A \u{202E}test package\"
+
+[lints.cargo]
+text_direction_codepoint = \"allow\"
+";
+    let p = project()
+        .file("Cargo.toml", manifest)
+        .file("src/lib.rs", "")
+        .build();
+
+    p.cargo("check -Zcargo-lints")
+        .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_stderr_data(str![[r#"
+[CHECKING] foo v0.0.1 ([ROOT]/foo)
+[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+
+"#]])
+        .run();
+}
+
+#[cargo_test]
+fn warn_lint() {
+    // Test that the lint can be set to warn
+    let manifest = "
+[package]
+name = \"foo\"
+version = \"0.0.1\"
+edition = \"2015\"
+description = \"A \u{202E}test package\"
+
+[lints.cargo]
+text_direction_codepoint = \"warn\"
 ";
     let p = project()
         .file("Cargo.toml", manifest)
@@ -45,6 +121,15 @@ description = \"A \u{202E}test\u{202D} package\"
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
         .with_stderr_data(str![[r#"
+[WARNING] unicode codepoint changing visible direction of text present in manifest
+ --> Cargo.toml:6:18
+  |
+6 | description = "A �test package"
+  |                  ^ `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `warn` in `[lints]`
+  = [NOTE] these kinds of unicode codepoints change the way text flows in applications/editors that support them, but can cause confusion because they change the order of characters on the screen
+  = [HELP] if their presence wasn't intentional, you can remove them
 [CHECKING] foo v0.0.1 ([ROOT]/foo)
 [FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
 
@@ -79,18 +164,24 @@ edition = "2015"
 }
 
 #[cargo_test]
-fn workspace_member_bidi() {
-    // Workspace with BiDi in member package
+fn workspace_inherited_allow() {
+    // Workspace-level lint configuration with member package
     let manifest = "
 [workspace]
 members = [\"foo\"]
+
+[workspace.lints.cargo]
+text_direction_codepoint = \"allow\"
 ";
     let foo_manifest = "
 [package]
 name = \"foo\"
 version = \"0.0.1\"
 edition = \"2015\"
 description = \"A \u{202E}test package\"
+
+[lints]
+workspace = true
 ";
     let p = project()
         .file("Cargo.toml", manifest)
@@ -132,9 +223,18 @@ edition = "2015"
 
     p.cargo("check -Zcargo-lints")
         .masquerade_as_nightly_cargo(&["cargo-lints"])
+        .with_status(101)
         .with_stderr_data(str![[r#"
-[CHECKING] foo v0.0.1 ([ROOT]/foo/foo)
-[FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [ELAPSED]s
+[ERROR] unicode codepoint changing visible direction of text present in manifest
+ --> Cargo.toml:6:14
+  |
+6 | info = "test �info"
+  |              ^ `/u{202E}` (RIGHT-TO-LEFT OVERRIDE)
+  |
+  = [NOTE] `cargo::text_direction_codepoint` is set to `deny` by default
+  = [NOTE] these kinds of unicode codepoints change the way text flows in applications/editors that support them, but can cause confusion because they change the order of characters on the screen
+  = [HELP] if their presence wasn't intentional, you can remove them
+[ERROR] encountered 1 error while running lints
 
 "#]])
         .run();
