-
-
Notifications
You must be signed in to change notification settings - Fork 19.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GDScript] Check string literals for Unicode direction control characters. #54883
Conversation
Good idea. Wonder whether it should be a warning instead of an error. |
For the reference, here's an example of legitimate usage of direction control character: https://hosted.weblate.org/translate/godot-engine/godot/ar/?checksum=3818bad5b65a4bef#comments (using "\uXXXX" escape codes is more convenient way than adding raw characters, so this change won't break anything). |
Rust seems to have added "deny by default" lints according to https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html How would a typical non-exploit string using such Unicode direction control characters look like, both with and without escape codes? E.g. some Arabic with English words I suppose? |
Here's a string for Weblate I mentioned before, but with escaped chars, control chars are used to keep English node names and punctuation in the correct order when they are inside the Arabic string.
Invalid operands to operator Alpha, Beta and Gamma. معاملات غير صالحة للمشغل Alpha، Beta و Gamma. The first line is without control chars, the second with. |
Thanks! |
We should likely change each warning property from a boolean to an enum (Warning, Error, Ignore), and remove the warnings to errors setting in 4.0. This way, each warning can be configured to emit an error (and we can do this by default for a few warnings). Edit: Proposal opened: godotengine/godot-proposals#3531 |
Fixes potential vulnerability, described in Trojan Source: Invisible Vulnerabilities. Since GDScript do not have
{...}
blocks, the second vulnerability variant probably is irrelevant.Before:
![before](https://user-images.githubusercontent.com/7645683/141308657-32b1164c-9580-4b69-8751-7ecdd6f0d7de.png)
After:
![after](https://user-images.githubusercontent.com/7645683/141308868-9f078f6d-2731-4501-b4e2-c6863d113af8.png)
Test script:
dircontrol.gd.zip
Bugsquad edit: Mitigates CVE-2021-42574 for GDScript.