Skip to content

Commit

Permalink
Lint against RTL unicode codepoints in literals and comments
Browse files Browse the repository at this point in the history 
Address CVE-2021-42574.
  • Loading branch information
@estebank @pietroalbini
estebank authored and pietroalbini committed Oct 31, 2021
1 parent 38b01d9 commit c0b1345
Show file tree
Hide file tree
Showing 12 changed files with 535 additions and 10 deletions.
1 change: 1 addition & 0 deletions Cargo.lock
View file
Expand Up @@ -4259,6 +4259,7 @@ dependencies = [
"rustc_span",
"tracing",
"unicode-normalization",
"unicode-width",
]

[[package]]
Expand Down
20 changes: 19 additions & 1 deletion compiler/rustc_errors/src/emitter.rs
View file
Expand Up @@ -2063,8 +2063,26 @@ fn num_decimal_digits(num: usize) -> usize {
MAX_DIGITS
}

// We replace some characters so the CLI output is always consistent and underlines aligned.
const OUTPUT_REPLACEMENTS: &[(char, &str)] = &[
('\t', " "), // We do our own tab replacement
('\u{202A}', ""), // The following unicode text flow control characters are inconsistently
('\u{202B}', ""), // supported accross CLIs and can cause confusion due to the bytes on disk
('\u{202D}', ""), // not corresponding to the visible source code, so we replace them always.
('\u{202E}', ""),
('\u{2066}', ""),
('\u{2067}', ""),
('\u{2068}', ""),
('\u{202C}', ""),
('\u{2069}', ""),
];

fn replace_tabs(str: &str) -> String {
str.replace('\t', " ")
let mut s = str.to_string();
for (c, replacement) in OUTPUT_REPLACEMENTS {
s = s.replace(*c, replacement);
}
s
}

fn draw_col_separator(buffer: &mut StyledBuffer, line: usize, col: usize) {
Expand Down
39 changes: 38 additions & 1 deletion compiler/rustc_lint/src/context.rs
View file
Expand Up @@ -16,6 +16,7 @@

use self::TargetLint::*;

use crate::hidden_unicode_codepoints::UNICODE_TEXT_FLOW_CHARS;
use crate::levels::{is_known_lint_tool, LintLevelsBuilder};
use crate::passes::{EarlyLintPassObject, LateLintPassObject};
use rustc_ast as ast;
Expand All @@ -39,7 +40,7 @@ use rustc_session::lint::{BuiltinLintDiagnostics, ExternDepSpec};
use rustc_session::lint::{FutureIncompatibleInfo, Level, Lint, LintBuffer, LintId};
use rustc_session::Session;
use rustc_span::lev_distance::find_best_match_for_name;
use rustc_span::{symbol::Symbol, MultiSpan, Span, DUMMY_SP};
use rustc_span::{symbol::Symbol, BytePos, MultiSpan, Span, DUMMY_SP};
use rustc_target::abi;
use tracing::debug;

Expand Down Expand Up @@ -597,6 +598,42 @@ pub trait LintContext: Sized {
// Now, set up surrounding context.
let sess = self.sess();
match diagnostic {
BuiltinLintDiagnostics::UnicodeTextFlow(span, content) => {
let spans: Vec<_> = content
.char_indices()
.filter_map(|(i, c)| {
UNICODE_TEXT_FLOW_CHARS.contains(&c).then(|| {
let lo = span.lo() + BytePos(2 + i as u32);
(c, span.with_lo(lo).with_hi(lo + BytePos(c.len_utf8() as u32)))
})
})
.collect();
let (an, s) = match spans.len() {
1 => ("an ", ""),
_ => ("", "s"),
};
db.span_label(span, &format!(
"this comment contains {}invisible unicode text flow control codepoint{}",
an,
s,
));
for (c, span) in &spans {
db.span_label(*span, format!("{:?}", c));
}
db.note(
"these kind of unicode codepoints change the way text flows on \
applications that support them, but can cause confusion because they \
change the order of characters on the screen",
);
if !spans.is_empty() {
db.multipart_suggestion_with_style(
"if their presence wasn't intentional, you can remove them",
spans.into_iter().map(|(_, span)| (span, "".to_string())).collect(),
Applicability::MachineApplicable,
SuggestionStyle::HideCodeAlways,
);
}
},
BuiltinLintDiagnostics::Normal => (),
BuiltinLintDiagnostics::BareTraitObject(span, is_global) => {
let (sugg, app) = match sess.source_map().span_to_snippet(span) {
Expand Down
161 changes: 161 additions & 0 deletions compiler/rustc_lint/src/hidden_unicode_codepoints.rs
View file
@@ -0,0 +1,161 @@
use crate::{EarlyContext, EarlyLintPass, LintContext};
use rustc_ast as ast;
use rustc_errors::{Applicability, SuggestionStyle};
use rustc_span::{BytePos, Span, Symbol};

declare_lint! {
/// The `text_direction_codepoint_in_literal` lint detects Unicode codepoints that change the
/// visual representation of text on screen in a way that does not correspond to their on
/// memory representation.
///
/// ### Explanation
///
/// The unicode characters `\u{202A}`, `\u{202B}`, `\u{202D}`, `\u{202E}`, `\u{2066}`,
/// `\u{2067}`, `\u{2068}`, `\u{202C}` and `\u{2069}` make the flow of text on screen change
/// its direction on software that supports these codepoints. This makes the text "abc" display
/// as "cba" on screen. By leveraging software that supports these, people can write specially
/// crafted literals that make the surrounding code seem like it's performing one action, when
/// in reality it is performing another. Because of this, we proactively lint against their
/// presence to avoid surprises.
///
/// ### Example
///
/// ```rust,compile_fail
/// #![deny(text_direction_codepoint_in_literal)]
/// fn main() {
/// println!("{:?}", '‮');
/// }
/// ```
///
/// {{produces}}
///
pub TEXT_DIRECTION_CODEPOINT_IN_LITERAL,
Deny,
"detect special Unicode codepoints that affect the visual representation of text on screen, \
changing the direction in which text flows",
}

declare_lint_pass!(HiddenUnicodeCodepoints => [TEXT_DIRECTION_CODEPOINT_IN_LITERAL]);

crate const UNICODE_TEXT_FLOW_CHARS: &[char] = &[
'\u{202A}', '\u{202B}', '\u{202D}', '\u{202E}', '\u{2066}', '\u{2067}', '\u{2068}', '\u{202C}',
'\u{2069}',
];

impl HiddenUnicodeCodepoints {
fn lint_text_direction_codepoint(
&self,
cx: &EarlyContext<'_>,
text: Symbol,
span: Span,
padding: u32,
point_at_inner_spans: bool,
label: &str,
) {
// Obtain the `Span`s for each of the forbidden chars.
let spans: Vec<_> = text
.as_str()
.char_indices()
.filter_map(|(i, c)| {
UNICODE_TEXT_FLOW_CHARS.contains(&c).then(|| {
let lo = span.lo() + BytePos(i as u32 + padding);
(c, span.with_lo(lo).with_hi(lo + BytePos(c.len_utf8() as u32)))
})
})
.collect();

cx.struct_span_lint(TEXT_DIRECTION_CODEPOINT_IN_LITERAL, span, |lint| {
let mut err = lint.build(&format!(
"unicode codepoint changing visible direction of text present in {}",
label
));
let (an, s) = match spans.len() {
1 => ("an ", ""),
_ => ("", "s"),
};
err.span_label(
span,
&format!(
"this {} contains {}invisible unicode text flow control codepoint{}",
label, an, s,
),
);
if point_at_inner_spans {
for (c, span) in &spans {
err.span_label(*span, format!("{:?}", c));
}
}
err.note(
"these kind of unicode codepoints change the way text flows on applications that \
support them, but can cause confusion because they change the order of \
characters on the screen",
);
if point_at_inner_spans && !spans.is_empty() {
err.multipart_suggestion_with_style(
"if their presence wasn't intentional, you can remove them",
spans.iter().map(|(_, span)| (*span, "".to_string())).collect(),
Applicability::MachineApplicable,
SuggestionStyle::HideCodeAlways,
);
err.multipart_suggestion(
"if you want to keep them but make them visible in your source code, you can \
escape them",
spans
.into_iter()
.map(|(c, span)| {
let c = format!("{:?}", c);
(span, c[1..c.len() - 1].to_string())
})
.collect(),
Applicability::MachineApplicable,
);
} else {
// FIXME: in other suggestions we've reversed the inner spans of doc comments. We
// should do the same here to provide the same good suggestions as we do for
// literals above.
err.note("if their presence wasn't intentional, you can remove them");
err.note(&format!(
"if you want to keep them but make them visible in your source code, you can \
escape them: {}",
spans
.into_iter()
.map(|(c, _)| { format!("{:?}", c) })
.collect::<Vec<String>>()
.join(", "),
));
}
err.emit();
});
}
}
impl EarlyLintPass for HiddenUnicodeCodepoints {
fn check_attribute(&mut self, cx: &EarlyContext<'_>, attr: &ast::Attribute) {
if let ast::AttrKind::DocComment(_, comment) = attr.kind {
if comment.as_str().contains(UNICODE_TEXT_FLOW_CHARS) {
self.lint_text_direction_codepoint(cx, comment, attr.span, 0, false, "doc comment");
}
}
}

fn check_expr(&mut self, cx: &EarlyContext<'_>, expr: &ast::Expr) {
// byte strings are already handled well enough by `EscapeError::NonAsciiCharInByteString`
let (text, span, padding) = match &expr.kind {
ast::ExprKind::Lit(ast::Lit { token, kind, span }) => {
let text = token.symbol;
if !text.as_str().contains(UNICODE_TEXT_FLOW_CHARS) {
return;
}
let padding = match kind {
// account for `"` or `'`
ast::LitKind::Str(_, ast::StrStyle::Cooked) | ast::LitKind::Char(_) => 1,
// account for `r###"`
ast::LitKind::Str(_, ast::StrStyle::Raw(val)) => *val as u32 + 2,
_ => return,
};
(text, span, padding)
}
_ => return,
};
self.lint_text_direction_codepoint(cx, text, *span, padding, true, "literal");
}
}
3 changes: 3 additions & 0 deletions compiler/rustc_lint/src/lib.rs
View file
Expand Up @@ -48,6 +48,7 @@ pub mod builtin;
mod context;
mod early;
mod enum_intrinsics_non_enums;
pub mod hidden_unicode_codepoints;
mod internal;
mod late;
mod levels;
Expand Down Expand Up @@ -78,6 +79,7 @@ use rustc_span::Span;
use array_into_iter::ArrayIntoIter;
use builtin::*;
use enum_intrinsics_non_enums::EnumIntrinsicsNonEnums;
use hidden_unicode_codepoints::*;
use internal::*;
use methods::*;
use non_ascii_idents::*;
Expand Down Expand Up @@ -129,6 +131,7 @@ macro_rules! early_lint_passes {
DeprecatedAttr: DeprecatedAttr::new(),
WhileTrue: WhileTrue,
NonAsciiIdents: NonAsciiIdents,
HiddenUnicodeCodepoints: HiddenUnicodeCodepoints,
IncompleteFeatures: IncompleteFeatures,
RedundantSemicolons: RedundantSemicolons,
UnusedDocComment: UnusedDocComment,
Expand Down
28 changes: 28 additions & 0 deletions compiler/rustc_lint_defs/src/builtin.rs
View file
Expand Up @@ -3518,6 +3518,34 @@ declare_lint! {
@feature_gate = sym::non_exhaustive_omitted_patterns_lint;
}

declare_lint! {
/// The `text_direction_codepoint_in_comment` lint detects Unicode codepoints in comments that
/// change the visual representation of text on screen in a way that does not correspond to
/// their on memory representation.
///
/// ### Example
///
/// ```rust,compile_fail
/// #![deny(text_direction_codepoint_in_comment)]
/// fn main() {
/// println!("{:?}"); // '‮');
/// }
/// ```
///
/// {{produces}}
///
/// ### Explanation
///
/// Unicode allows changing the visual flow of text on screen in order to support scripts that
/// are written right-to-left, but a specially crafted comment can make code that will be
/// compiled appear to be part of a comment, depending on the software used to read the code.
/// To avoid potential problems or confusion, such as in CVE-2021-42574, by default we deny
/// their use.
pub TEXT_DIRECTION_CODEPOINT_IN_COMMENT,
Deny,
"invisible directionality-changing codepoints in comment"
}

declare_lint! {
/// The `deref_into_dyn_supertrait` lint is output whenever there is a use of the
/// `Deref` implementation with a `dyn SuperTrait` type as `Output`.
Expand Down
1 change: 1 addition & 0 deletions compiler/rustc_lint_defs/src/lib.rs
View file
Expand Up @@ -306,6 +306,7 @@ pub enum BuiltinLintDiagnostics {
TrailingMacro(bool, Ident),
BreakWithLabelAndLoop(Span),
NamedAsmLabel(String),
UnicodeTextFlow(Span, String),
}

/// Lints that are buffered up early on in the `Session` before the
Expand Down
1 change: 1 addition & 0 deletions compiler/rustc_parse/Cargo.toml
View file
Expand Up @@ -18,3 +18,4 @@ rustc_session = { path = "../rustc_session" }
rustc_span = { path = "../rustc_span" }
rustc_ast = { path = "../rustc_ast" }
unicode-normalization = "0.1.11"
unicode-width = "0.1.4"
40 changes: 37 additions & 3 deletions compiler/rustc_parse/src/lexer/mod.rs
View file
Expand Up @@ -4,7 +4,9 @@ use rustc_ast::tokenstream::{Spacing, TokenStream};
use rustc_errors::{error_code, Applicability, DiagnosticBuilder, FatalError, PResult};
use rustc_lexer::unescape::{self, Mode};
use rustc_lexer::{Base, DocStyle, RawStrError};
use rustc_session::lint::builtin::RUST_2021_PREFIXES_INCOMPATIBLE_SYNTAX;
use rustc_session::lint::builtin::{
TEXT_DIRECTION_CODEPOINT_IN_COMMENT, RUST_2021_PREFIXES_INCOMPATIBLE_SYNTAX,
};
use rustc_session::lint::BuiltinLintDiagnostics;
use rustc_session::parse::ParseSess;
use rustc_span::symbol::{sym, Symbol};
Expand Down Expand Up @@ -129,14 +131,41 @@ impl<'a> StringReader<'a> {
.struct_span_fatal(self.mk_sp(from_pos, to_pos), &format!("{}: {}", m, escaped_char(c)))
}

/// Detect usages of Unicode codepoints changing the direction of the text on screen and loudly
/// complain about it.
fn lint_unicode_text_flow(&self, start: BytePos) {
// Opening delimiter of the length 2 is not included into the comment text.
let content_start = start + BytePos(2);
let content = self.str_from(content_start);
let span = self.mk_sp(start, self.pos);
const UNICODE_TEXT_FLOW_CHARS: &[char] = &[
'\u{202A}', '\u{202B}', '\u{202D}', '\u{202E}', '\u{2066}', '\u{2067}', '\u{2068}',
'\u{202C}', '\u{2069}',
];
if content.contains(UNICODE_TEXT_FLOW_CHARS) {
self.sess.buffer_lint_with_diagnostic(
&TEXT_DIRECTION_CODEPOINT_IN_COMMENT,
span,
ast::CRATE_NODE_ID,
"unicode codepoint changing visible direction of text present in comment",
BuiltinLintDiagnostics::UnicodeTextFlow(span, content.to_string()),
);
}
}

/// Turns simple `rustc_lexer::TokenKind` enum into a rich
/// `rustc_ast::TokenKind`. This turns strings into interned
/// symbols and runs additional validation.
fn cook_lexer_token(&self, token: rustc_lexer::TokenKind, start: BytePos) -> Option<TokenKind> {
Some(match token {
rustc_lexer::TokenKind::LineComment { doc_style } => {
// Skip non-doc comments
let doc_style = doc_style?;
let doc_style = if let Some(doc_style) = doc_style {
doc_style
} else {
self.lint_unicode_text_flow(start);
return None;
};

// Opening delimiter of the length 3 is not included into the symbol.
let content_start = start + BytePos(3);
Expand All @@ -158,7 +187,12 @@ impl<'a> StringReader<'a> {
}

// Skip non-doc comments
let doc_style = doc_style?;
let doc_style = if let Some(doc_style) = doc_style {
doc_style
} else {
self.lint_unicode_text_flow(start);
return None;
};

// Opening delimiter of the length 3 and closing delimiter of the length 2
// are not included into the symbol.
Expand Down

0 comments on commit c0b1345

Please sign in to comment.