CVE-2021-42574 Unicode Bidi override vulnerability

[NthPortal]

Use of Unicode Bidi override control characters allows malicious attackers to write code that looks like it does one thing, but actually does another, especially by embedding such control characters in string literals or comments.

Repro:
https://gist.github.com/NthPortal/a69b08eb5d2185573e5a561978f1f94e
(GitHub already has a warning for this vulnerability, which is nice)

The compiler should disallow use of such codepoints by default, and have a flag to allow use (potentially specifying only specific files that can use them). I'm drawing my suggestion purely from what Rust has done.

References:

• CVE database
• Rust security advisory
• KrebsOnSecurity blog post

[jducoeur]

Sounds like the right approach to me. While there are valid use cases, they're pretty uncommon, and this is a big enough security risk (especially for open source projects) that the hole should be closed by default.

[som-snytt]

The flag to enable such a lint should be -Xlint.

[NthPortal]

it should be enabled by default. possible flag to allow bidi is -Xallow-bidi-matching <regex file pattern>. potentially -Xallow-bidi-global if needed, but that seems overly permissive for no reason

[NthPortal]

ty for the label @SethTisue :)

[som-snytt]

They just got rid of language forking options. If this really has to happen at the language level then import language.bidi.

[NthPortal]

perhaps the X is incorrect - I'm not super well versed in flag naming. it doesn't really affect language semantics, just what files the compiler will allow/refuse to parse. -allow-bidi-in:<regex> (like -opt-inline-from) might be better.

[som-snytt]

There are charming comments on rust pr that github warns about embedded bidi in the files and that the sources won't bootstrap. That sounds familiar. They are also more tightly bound to Linux distro consumers.

I see that -Xelide-below and -Yimports, neither beloved, are the remaining options that violate WYSIWYG.

-opt-inline-from is unwieldy, there is a ticket to improve those ergonomics.

We also accept Unicode identifiers, so it's not just strings and comments. rust says they already lint "homoglyphs".

Another idea is a dedicated interpolator that allows dangerous codepoints.