Skip to content

Add text_direction_codepoint lint (CVE-2021-42574) #16451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
enthropy7 wants to merge 1 commit into from
Closed

Add text_direction_codepoint lint (CVE-2021-42574) #16451

enthropy7 wants to merge 1 commit into from

Conversation

@enthropy7
Copy link

@enthropy7 enthropy7 commented Dec 31, 2025

What does this PR try to resolve?

This PR implements the text_direction_codepoint lint for Cargo.toml files:
Fixes #16373 and #16374

lint detects Unicode BiDi (bidirectional) control codepoints that can be used in "Trojan Source" attacks. These invisible characters can alter the visual display of text without changing its underlying representation, potentially making malicious manifest content appear benign. All like descritped in rustc's text_direction_codepoint_in_comment/literal lint but for Cargo manifests.

Detected codepoints:

  • U+202A LEFT-TO-RIGHT EMBEDDING
  • U+202B RIGHT-TO-LEFT EMBEDDING
  • U+202C POP DIRECTIONAL FORMATTING
  • U+202D LEFT-TO-RIGHT OVERRIDE
  • U+202E RIGHT-TO-LEFT OVERRIDE
  • U+2066 LEFT-TO-RIGHT ISOLATE
  • U+2067 RIGHT-TO-LEFT ISOLATE
  • U+2068 FIRST STRONG ISOLATE
  • U+2069 POP DIRECTIONAL ISOLATE

Default level: deny

How to test and review this PR?

cargo test -p cargo --test testsuite -- lints::text_direction_codepoint
Manual testing:

Create a manifest with BiDi codepoint (U+202E)

printf '[package]\nname = "foo"\nversion = "0.1.0"\nedition = "2024"\ndescription = "A \xE2\x80\xAEtest"\n' > Cargo.toml
mkdir -p src && echo 'fn main(){}' > src/main.rs
cargo +nightly check -Zcargo-lints

The lint can be configured via [lints.cargo]:

[lints.cargo]
text_direction_codepoint = "allow"  # or "warn"

@rustbot rustbot added A-workspaces Area: workspaces S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 31, 2025
@rustbot
Copy link
Collaborator

rustbot commented Dec 31, 2025

r? @weihanglo

rustbot has assigned @weihanglo.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@enthropy7 enthropy7 closed this Dec 31, 2025
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Dec 31, 2025
@enthropy7
Copy link
Author

enthropy7 commented Dec 31, 2025

need2test a little bit more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@weihanglo weihanglo

Labels

A-workspaces Area: workspaces

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add text-direction-codepoint-in-literal lint

3 participants

@enthropy7 @rustbot @weihanglo