Quoting from the Rust advisory as it's the only public one so far: "Unicode has support for both left-to-right and right-to-left languages, and to aid writing left-to-right words inside a right-to-left sentence (or vice versa) it also features invisible codepoints called "bidirectional override". These codepoints are normally used across the Internet to embed a word inside a sentence of another language (with a different text direction), but it was reported to us that they could be used to manipulate how source code is displayed in some editors and code review tools, leading to the reviewed code being different than the compiled code. This is especially bad if the whole team relies on bidirectional-aware tooling." - https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html
- https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/ - https://github.com/nickboucher/trojan-source
Is anyone aware of a community-driven code scanning tool that has a public repo, issue tracker and can accept PRs? Redhat has a nice beginning of a scanning tool here: https://access.redhat.com/security/vulnerabilities/RHSB-2021-007 Unfortunately, in its default mode it alerts on the BOM marker bytes (0xfe 0xff) that Windows editors like to put in the beginning of every(?) text file. There's knobs to control which files are skipped, and to enable only printing bidi(rectional) control characters, but no way to suppress specific control characters, much less at specific file offsets. Also it lacks a ^C handler, and it dies if it encounters a dangling symlink. I see no license stated in find_unicode_control2.py or its accompanying README.txt, so I don't know the legality of posting improvements to it publicly.
Pagure has https://pagure.io/pagure/c/8bacd4da4fa6de578b818aa7a4b36bbeaaa243d7?branch=master.
