Security Tool

bidi-guard

Scan code for invisible bidirectional Unicode characters. Prevent Trojan Source attacks before they reach production.

CVE-2021-42574
Trojan Source — code looks safe, executes differently
$ pip install bidi-guard
The Attack
Code that lies to your eyes.
Invisible Unicode characters can reverse text direction, making code display differently than it executes. A reviewer sees one thing — the compiler runs another.
What you see in review
access_level = "admin"
if access_level != "user":
    grant_access()
What actually runs
access_level = "[U+202E]nimda[U+202C]"
if access_level != "user":
    grant_access()
Commands
5 commands. Zero config.

scan

Find invisible bidi chars in your codebase. Rich table output with severity, position, and context.

ci

CI-friendly mode. Exit code 1 on critical findings. Grep-compatible output. Built for GitHub Actions.

fix

Strip dangerous characters automatically. Shows diff preview before writing. Use --yes to skip prompt.

explain

Learn about Trojan Source. Visual demo of the attack, full character table, CVE reference.

init

Generate GitHub Action workflow and pre-commit hook configs. Use --write to create files directly.

Detection
16 dangerous characters. 3 severity levels.
CRITICAL characters can reorder displayed code. WARNING marks affect direction. INFO characters are usually harmless but worth knowing about.
CodepointNameAbbrSeverity
U+202ALeft-to-Right EmbeddingLRECRIT
U+202BRight-to-Left EmbeddingRLECRIT
U+202CPop Directional FormattingPDFCRIT
U+202DLeft-to-Right OverrideLROCRIT
U+202ERight-to-Left OverrideRLOCRIT
U+2066Left-to-Right IsolateLRICRIT
U+2067Right-to-Left IsolateRLICRIT
U+2068First Strong IsolateFSICRIT
U+2069Pop Directional IsolatePDICRIT
U+200ELeft-to-Right MarkLRMWARN
U+200FRight-to-Left MarkRLMWARN
U+061CArabic Letter MarkALMWARN
U+200BZero Width SpaceZWSPINFO
U+200CZero Width Non-JoinerZWNJINFO
U+200DZero Width JoinerZWJINFO
U+FEFFByte Order MarkBOMINFO
Get Started
Three lines to protect your code.
# Install $ pip install bidi-guard # Scan your project $ bidi-guard scan . # Add to CI (exit 1 on critical findings) $ bidi-guard ci . # Auto-fix dangerous characters $ bidi-guard fix . --yes # Learn about the attack $ bidi-guard explain # Set up GitHub Action $ bidi-guard init --github-action --write