diff --git a/clang-tools-extra/clang-tidy/misc/CMakeLists.txt b/clang-tools-extra/clang-tidy/misc/CMakeLists.txt --- a/clang-tools-extra/clang-tidy/misc/CMakeLists.txt +++ b/clang-tools-extra/clang-tidy/misc/CMakeLists.txt @@ -6,6 +6,7 @@ add_clang_library(clangTidyMiscModule DefinitionsInHeadersCheck.cpp MiscTidyModule.cpp + MisleadingBidirectional.cpp MisleadingIdentifier.cpp MisplacedConstCheck.cpp NewDeleteOverloadsCheck.cpp diff --git a/clang-tools-extra/clang-tidy/misc/MiscTidyModule.cpp b/clang-tools-extra/clang-tidy/misc/MiscTidyModule.cpp --- a/clang-tools-extra/clang-tidy/misc/MiscTidyModule.cpp +++ b/clang-tools-extra/clang-tidy/misc/MiscTidyModule.cpp @@ -10,6 +10,7 @@ #include "../ClangTidyModule.h" #include "../ClangTidyModuleRegistry.h" #include "DefinitionsInHeadersCheck.h" +#include "MisleadingBidirectional.h" #include "MisleadingIdentifier.h" #include "MisplacedConstCheck.h" #include "NewDeleteOverloadsCheck.h" @@ -34,6 +35,8 @@ void addCheckFactories(ClangTidyCheckFactories &CheckFactories) override { CheckFactories.registerCheck( "misc-definitions-in-headers"); + CheckFactories.registerCheck( + "misc-misleading-bidirectional"); CheckFactories.registerCheck( "misc-misleading-identifier"); CheckFactories.registerCheck("misc-misplaced-const"); diff --git a/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.h b/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.h new file mode 100644 --- /dev/null +++ b/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.h @@ -0,0 +1,38 @@ +//===--- MisleadingBidirectionalCheck.h - clang-tidy ------------*- C++ -*-===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#ifndef LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_MISLEADINGBIDIRECTIONALCHECK_H +#define LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_MISLEADINGBIDIRECTIONALCHECK_H + +#include "../ClangTidyCheck.h" + +namespace clang { +namespace tidy { +namespace misc { + +class MisleadingBidirectionalCheck : public ClangTidyCheck { +public: + MisleadingBidirectionalCheck(StringRef Name, ClangTidyContext *Context); + ~MisleadingBidirectionalCheck(); + + void registerPPCallbacks(const SourceManager &SM, Preprocessor *PP, + Preprocessor *ModuleExpanderPP) override; + + void registerMatchers(ast_matchers::MatchFinder *Finder) override; + void check(const ast_matchers::MatchFinder::MatchResult &Result) override; + +private: + class MisleadingBidirectionalHandler; + std::unique_ptr Handler; +}; + +} // namespace misc +} // namespace tidy +} // namespace clang + +#endif // LLVM_CLANG_TOOLS_EXTRA_CLANG_TIDY_MISC_MISLEADINGBIDIRECTIONALCHECK_H diff --git a/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.cpp b/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.cpp new file mode 100644 --- /dev/null +++ b/clang-tools-extra/clang-tidy/misc/MisleadingBidirectional.cpp @@ -0,0 +1,139 @@ +//===--- MisleadingBidirectional.cpp - clang-tidy -------------------------===// +// +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception +// +//===----------------------------------------------------------------------===// + +#include "MisleadingBidirectional.h" + +#include "clang/Frontend/CompilerInstance.h" +#include "clang/Lex/Preprocessor.h" +#include "llvm/Support/ConvertUTF.h" + +using namespace clang; +using namespace clang::tidy::misc; + +static bool containsMisleadingBidi(StringRef Buffer, + bool HonorLineBreaks = true) { + const char *CurPtr = Buffer.begin(); + + enum BidiChar { + PS = 0x2029, + RLO = 0x202E, + RLE = 0x202B, + LRO = 0x202D, + LRE = 0x202A, + PDF = 0x202C, + RLI = 0x2067, + LRI = 0x2066, + FSI = 0x2068, + PDI = 0x2069 + }; + + SmallVector BidiContexts; + + // Scan each character while maintaining a stack of opened bidi context. + // RLO/RLE/LRO/LRE all are closed by PDF while RLI LRI and FSI are closed by + // PDI. New lines reset the context count. Extra PDF / PDI are ignored. + // + // Warn if we end up with an unclosed context. + while (CurPtr < Buffer.end()) { + unsigned char C = *CurPtr; + if (isASCII(C)) { + ++CurPtr; + bool IsParagrapSep = + (C == 0xA || C == 0xD || (0x1C <= C && C <= 0x1E) || C == 0x85); + bool IsSegmentSep = (C == 0x9 || C == 0xB || C == 0x1F); + if (IsParagrapSep || IsSegmentSep) + BidiContexts.clear(); + continue; + } + llvm::UTF32 CodePoint; + llvm::ConversionResult Result = llvm::convertUTF8Sequence( + (const llvm::UTF8 **)&CurPtr, (const llvm::UTF8 *)Buffer.end(), + &CodePoint, llvm::strictConversion); + + // If conversion fails, utf-8 is designed so that we can just try next char. + if (Result != llvm::conversionOK) { + ++CurPtr; + continue; + } + + // Open a PDF context. + if (CodePoint == RLO || CodePoint == RLE || CodePoint == LRO || + CodePoint == LRE) + BidiContexts.push_back(PDF); + // Close PDF Context. + else if (CodePoint == PDF) { + if (!BidiContexts.empty() && BidiContexts.back() == PDF) + BidiContexts.pop_back(); + } + // Open a PDI Context. + else if (CodePoint == RLI || CodePoint == LRI || CodePoint == FSI) + BidiContexts.push_back(PDI); + // Close a PDI Context. + else if (CodePoint == PDI) { + auto R = std::find(BidiContexts.rbegin(), BidiContexts.rend(), PDI); + if (R != BidiContexts.rend()) + BidiContexts.resize(BidiContexts.rend() - R - 1); + } + // Line break or equivalent + else if (CodePoint == PS) + BidiContexts.clear(); + } + return !BidiContexts.empty(); +} + +class MisleadingBidirectionalCheck::MisleadingBidirectionalHandler + : public CommentHandler { +public: + MisleadingBidirectionalHandler(MisleadingBidirectionalCheck &Check, + llvm::Optional User) + : Check(Check) {} + + bool HandleComment(Preprocessor &PP, SourceRange Range) override { + // FIXME: check that we are in a /* */ comment + StringRef Text = + Lexer::getSourceText(CharSourceRange::getCharRange(Range), + PP.getSourceManager(), PP.getLangOpts()); + + if (containsMisleadingBidi(Text, true)) + Check.diag( + Range.getBegin(), + "comment contains misleading bidirectional Unicode characters"); + return false; + } + +private: + MisleadingBidirectionalCheck &Check; +}; + +MisleadingBidirectionalCheck::MisleadingBidirectionalCheck( + StringRef Name, ClangTidyContext *Context) + : ClangTidyCheck(Name, Context), + Handler(std::make_unique( + *this, Context->getOptions().User)) {} + +MisleadingBidirectionalCheck::~MisleadingBidirectionalCheck() = default; + +void MisleadingBidirectionalCheck::registerPPCallbacks( + const SourceManager &SM, Preprocessor *PP, Preprocessor *ModuleExpanderPP) { + PP->addCommentHandler(Handler.get()); +} + +void MisleadingBidirectionalCheck::check( + const ast_matchers::MatchFinder::MatchResult &Result) { + if (const auto *SL = Result.Nodes.getNodeAs("strlit")) { + StringRef Literal = SL->getBytes(); + if (containsMisleadingBidi(Literal, false)) + diag(SL->getBeginLoc(), "string literal contains misleading " + "bidirectional Unicode characters"); + } +} + +void MisleadingBidirectionalCheck::registerMatchers( + ast_matchers::MatchFinder *Finder) { + Finder->addMatcher(ast_matchers::stringLiteral().bind("strlit"), this); +} diff --git a/clang-tools-extra/docs/ReleaseNotes.rst b/clang-tools-extra/docs/ReleaseNotes.rst --- a/clang-tools-extra/docs/ReleaseNotes.rst +++ b/clang-tools-extra/docs/ReleaseNotes.rst @@ -127,6 +127,10 @@ Reports identifiers whose names are too short. Currently checks local variables and function parameters only. +- New :doc:`misc-misleading-bidirectional ` check. + + Inspects string literal and comments for unterminated bidirectional Unicode + characters. New check aliases ^^^^^^^^^^^^^^^^^ diff --git a/clang-tools-extra/docs/clang-tidy/checks/list.rst b/clang-tools-extra/docs/clang-tidy/checks/list.rst --- a/clang-tools-extra/docs/clang-tidy/checks/list.rst +++ b/clang-tools-extra/docs/clang-tidy/checks/list.rst @@ -212,7 +212,8 @@ `llvmlibc-implementation-in-namespace `_, `llvmlibc-restrict-system-libc-headers `_, "Yes" `misc-definitions-in-headers `_, "Yes" - `misc-misleading-identifier `_, + `misc-misleading-bidirectional `_, + `misc-misleading-identifier `_, `misc-misplaced-const `_, `misc-new-delete-overloads `_, `misc-no-recursion `_, diff --git a/clang-tools-extra/docs/clang-tidy/checks/misc-misleading-bidirectional.rst b/clang-tools-extra/docs/clang-tidy/checks/misc-misleading-bidirectional.rst new file mode 100644 --- /dev/null +++ b/clang-tools-extra/docs/clang-tidy/checks/misc-misleading-bidirectional.rst @@ -0,0 +1,21 @@ +.. title:: clang-tidy - misc-misleading-bidirectional + +misc-misleading-bidirectional +============================= + +Warn about unterminated bidirectional unicode sequence, detecting potential attack +as described in the `Trojan Source `_ attack. + +Example: + +.. code-block:: c++ + + #include + + int main() { + bool isAdmin = false; + /*‮ } ⁦if (isAdmin)⁩ ⁦ begin admins only */ + std::cout << "You are an admin.\n"; + /* end admins only ‮ { ⁦*/ + return 0; + } diff --git a/clang-tools-extra/test/clang-tidy/checkers/misc-misleading-bidirectional.cpp b/clang-tools-extra/test/clang-tidy/checkers/misc-misleading-bidirectional.cpp new file mode 100644 index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 GIT binary patch literal 0 Hc$@