This library currently provides the following lint rules that detect unsupported characters in source and xml files:
TrojanSourceDetector- covers Java and Kotlin filesTrojanXmlDetector- covers XML resource and Android manifest files
A fatal lint error will be reported if any unicode (or unsupported ascii) characters are detected. Only printable(32..126) + horizontal tab/line feed/carriage return(9, 10, 13) ascii characters are allowed.
- Add jitpack in your root build gradle at the end of
allprojects.repositories. Jitpack recommends adding to the end as Gradle will go through all repositories in order until it finds a dependency and jitpack likely accounts for a small portion of dependencies in your project:
allprojects {
repositories {
// ...
maven(url = "https://jitpack.io")
}
}- Add the following to all your module build gradle files where you want to use the lint rules:
dependencies {
// ...
implementation("com.github.BottleRocketStudios:Android-CustomLintRules:1.0.0")
// ...
}- Perform a gradle sync and run the
lintgradle task (gradlew lint). Any problems detected by the custom lint rules will be shown in the generated lint report.
- BIDI symbols:
LRE,RLE,LRO,RLO,LRI,RLI,FSI,PDF,PDI(some of the actual symbols )- See https://trojansource.codes/trojan-source.pdf for more details
- Homoglyphs such as Н (cyrillic en)
- Symbols such as € or 👍
- Ascii control characters:
0..31and127
- https://www.theregister.com/2021/11/01/trojan_source_language_reversal_unicode/
- https://nvd.nist.gov/vuln/detail/CVE-2021-42574
- https://trojansource.codes/
- https://github.com/nickboucher/trojan-source
- https://www.w3schools.com/charsets/ref_html_ascii.asp - ascii ranges
sample- Sample project containing source code and xml that will trigger the custom lint rules.library- Android library project that packages up thelintRulesinto the library aar.lintRules- actual source of the lint rules (with tests).
- View root of jitpack generated data for this project at https://jitpack.io/com/github/BottleRocketStudios/Android-CustomLintRules/
- Copy-paste additional values from page responses to the url path to traverse down the tree of all files managed by jitpack for your builds and view/retrieve things like log files, module files, pom files, and aars.
- Access development/SNAPSHOT builds by replacing the version with an arbitrary
release tag,commit hash, orbranch~name-SNAPSHOT(ex:develop-SNAPSHOT,feature~abc-SNAPSHOT). You can also browse https://jitpack.io/#BottleRocketStudios/Android-CustomLintRules to generate a dependency value from a list of all jitpack builds. - When debugging, you can view artifacts that gradle downloads to your local machine (from a consumer app POV) by navigating to the following folder and viewing its contents to inspect aars, module files, and pom files:
~/.gradle/caches/modules-2/files-2.1/com.github.BottleRocketStudios/Android-CustomLintRules/
- You can generate a locally built aar for testing by executing the
publishReleasePublicationToMavenLocalRun Configuration. - Quickly navigate to the output by executing the
Open Local Maven Publication FolderRun Configuration.
- https://proandroiddev.com/implementing-your-first-android-lint-rule-6e572383b292 - Also see linked talks and repositories at the end of the blog.
- https://proandroiddev.com/testing-your-first-android-lint-rule-bb78c1f2d2bd -
- https://github.com/fabiocarballo/lint-sample - sample repo for above blog posts
- https://github.com/googlesamples/android-custom-lint-rules - official custom lint rule sample repo
- https://googlesamples.github.io/android-custom-lint-rules/api-guide.html - official custom lint rule development api guide