This library currently provides the following lint rules that detect unsupported characters in source and xml files:
TrojanSourceDetector
- covers Java and Kotlin filesTrojanXmlDetector
- covers XML resource and Android manifest files
A fatal lint error will be reported if any unicode (or unsupported ascii) characters are detected. Only printable(32..126
) + horizontal tab/line feed/carriage return(9
, 10
, 13
) ascii characters are allowed.
- Add jitpack in your root build gradle at the end of
allprojects.repositories
. Jitpack recommends adding to the end as Gradle will go through all repositories in order until it finds a dependency and jitpack likely accounts for a small portion of dependencies in your project:
allprojects {
repositories {
// ...
maven(url = "https://jitpack.io")
}
}
- Add the following to all your module build gradle files where you want to use the lint rules:
dependencies {
// ...
implementation("com.github.BottleRocketStudios:Android-CustomLintRules:1.0.0")
// ...
}
- Perform a gradle sync and run the
lint
gradle task (gradlew lint
). Any problems detected by the custom lint rules will be shown in the generated lint report.
- BIDI symbols:
LRE
,RLE
,LRO
,RLO
,LRI
,RLI
,FSI
,PDF
,PDI
(some of the actual symbols )- See https://trojansource.codes/trojan-source.pdf for more details
- Homoglyphs such as Н (cyrillic en)
- Symbols such as € or 👍
- Ascii control characters:
0..31
and127
- https://www.theregister.com/2021/11/01/trojan_source_language_reversal_unicode/
- https://nvd.nist.gov/vuln/detail/CVE-2021-42574
- https://trojansource.codes/
- https://github.com/nickboucher/trojan-source
- https://www.w3schools.com/charsets/ref_html_ascii.asp - ascii ranges
sample
- Sample project containing source code and xml that will trigger the custom lint rules.library
- Android library project that packages up thelintRules
into the library aar.lintRules
- actual source of the lint rules (with tests).
- View root of jitpack generated data for this project at https://jitpack.io/com/github/BottleRocketStudios/Android-CustomLintRules/
- Copy-paste additional values from page responses to the url path to traverse down the tree of all files managed by jitpack for your builds and view/retrieve things like log files, module files, pom files, and aars.
- Access development/SNAPSHOT builds by replacing the version with an arbitrary
release tag
,commit hash
, orbranch~name-SNAPSHOT
(ex:develop-SNAPSHOT
,feature~abc-SNAPSHOT
). You can also browse https://jitpack.io/#BottleRocketStudios/Android-CustomLintRules to generate a dependency value from a list of all jitpack builds. - When debugging, you can view artifacts that gradle downloads to your local machine (from a consumer app POV) by navigating to the following folder and viewing its contents to inspect aars, module files, and pom files:
~/.gradle/caches/modules-2/files-2.1/com.github.BottleRocketStudios/Android-CustomLintRules/
- You can generate a locally built aar for testing by executing the
publishReleasePublicationToMavenLocal
Run Configuration. - Quickly navigate to the output by executing the
Open Local Maven Publication Folder
Run Configuration.
- https://proandroiddev.com/implementing-your-first-android-lint-rule-6e572383b292 - Also see linked talks and repositories at the end of the blog.
- https://proandroiddev.com/testing-your-first-android-lint-rule-bb78c1f2d2bd -
- https://github.com/fabiocarballo/lint-sample - sample repo for above blog posts
- https://github.com/googlesamples/android-custom-lint-rules - official custom lint rule sample repo
- https://googlesamples.github.io/android-custom-lint-rules/api-guide.html - official custom lint rule development api guide