Trojan Source detection/highlight in Emacs?

[Skip Montanaro <skip.montanaro@gmail.com>]

The recent Trojan Source vulnerability crossed my newsfeed a day or two
ago. Here's an article from Krebs on Security:

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

Here's the rub:

Most programming languages let you put these Bidi overrides in comments and
strings. This is bad because most programming languages allow comments
within which all text — including control characters — is ignored by
compilers and interpreters. Also, it’s bad because most programming
languages allow string literals that may contain arbitrary characters,
including control characters.

...

The research paper, which dubbed the vulnerability “Trojan Source,” notes
that while both comments and strings will have syntax-specific semantics
indicating their start and end, *these bounds are not respected by Bidi
overrides*.


Krebs didn't give a concrete code example, but did reference a Rust Lang
blog post which does:

https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html

As an example, the following snippet (with {U+NNNN} replaced with the
Unicode codepoint NNNN):


if access_level != "user{U+202E} {U+2066}// Check if admin{U+2069}
{U+2066}" {


...would be rendered by bidirectional-aware tools as:


if access_level != "user" { // Check if admin


This would give the reader the mistaken impression that the program is
comparing admin_level with the value "user".

There is also a C example on the Trojan Source website (scroll down):

https://trojansource.codes/

You can also get to the PDF of the paper describing the problem.

Rust is adding detection to its lint tool. It seems that may be the
approach taken by the maintainers of other languages.

The Python community is working on a PEP for this (doesn't even yet have a
number), but you can view the nascent PEP and discussion here:

https://mail.python.org/archives/list/python-dev@python.org/thread/6DBJJRQHA2SP5Q27MOMDSTCOXMW7ITNR/#6DBJJRQHA2SP5Q27MOMDSTCOXMW7ITNR

IDEs, editors, and lint tools are probably where the bulk of the action
will be. Has this been discussed within the Emacs developer community?
Maybe a bidi minor mode would be a good place to implement some
colorization, with the minor mode enabled by default in most programming
language major modes (with easy disabling by the user).

Let's be careful out there...

Skip Montanaro