bidi-guard
Scan code for invisible bidirectional Unicode characters. Prevent Trojan Source attacks.
CVE-2021-42574 — invisible Unicode characters can make source code display differently than it executes. Code that passes review can contain hidden logic.
$
pip install bidi-guard
Chapter I
The Attack
Code that lies to your eyes.
What you see
access_level = "admin"
if access_level != "user":
grant_access()
What runs
access_level = "[U+202E]nimda[U+202C]" if access_level != "user": grant_access()
Chapter II
See It
Chapter III
Commands
5 commands. Zero config.
- scan
Find invisible bidi chars with Rich table output - ci
CI mode — exit 1 on critical findings - fix
Strip dangerous chars with diff preview - explain
Learn about Trojan Source visually - init
Generate GitHub Action + pre-commit hook
Chapter IV
16 Characters
3 severity levels: Critical, Warning, Info.
| Codepoint | Name | Abbr | Severity |
|---|---|---|---|
| U+202A | Left-to-Right Embedding | LRE | CRIT |
| U+202B | Right-to-Left Embedding | RLE | CRIT |
| U+202C | Pop Directional Formatting | CRIT | |
| U+202D | Left-to-Right Override | LRO | CRIT |
| U+202E | Right-to-Left Override | RLO | CRIT |
| U+2066 | Left-to-Right Isolate | LRI | CRIT |
| U+2067 | Right-to-Left Isolate | RLI | CRIT |
| U+2068 | First Strong Isolate | FSI | CRIT |
| U+2069 | Pop Directional Isolate | PDI | CRIT |
| U+200E | Left-to-Right Mark | LRM | WARN |
| U+200F | Right-to-Left Mark | RLM | WARN |
| U+061C | Arabic Letter Mark | ALM | WARN |
| U+200B | Zero Width Space | ZWSP | INFO |
| U+200C | Zero Width Non-Joiner | ZWNJ | INFO |
| U+200D | Zero Width Joiner | ZWJ | INFO |
| U+FEFF | Byte Order Mark | BOM | INFO |
Chapter V
Get Started
# Install
$ pip install bidi-guard
# Scan your project
$ bidi-guard scan .
# Add to CI
$ bidi-guard ci .
# Auto-fix
$ bidi-guard fix . --yes
# Set up GitHub Action
$ bidi-guard init --github-action --write