SonarSource Rules
  • Products

    In-IDE

    Code Quality and Security in your IDE with SonarQube Ide

    IDE extension that lets you fix coding issues before they exist!

    Discover SonarQube for IDE

    SaaS

    Code Quality and Security in the cloud with SonarQube Cloud

    Setup is effortless and analysis is automatic for most languages

    Discover SonarQube Cloud

    Self-Hosted

    Code Quality and Security Self-Hosted with SonarQube Server

    Fast, accurate analysis; enterprise scalability

    Discover SonarQube Server
  • SecretsSecrets
  • ABAPABAP
  • AnsibleAnsible
  • ApexApex
  • AzureResourceManagerAzureResourceManager
  • CC
  • C#C#
  • C++C++
  • CloudFormationCloudFormation
  • COBOLCOBOL
  • CSSCSS
  • DartDart
  • DockerDocker
  • FlexFlex
  • GitHub ActionsGitHub Actions
  • GoGo
  • HTMLHTML
  • JavaJava
  • JavaScriptJavaScript
  • JSONJSON
  • JCLJCL
  • KotlinKotlin
  • KubernetesKubernetes
  • Objective CObjective C
  • PHPPHP
  • PL/IPL/I
  • PL/SQLPL/SQL
  • PythonPython
  • RPGRPG
  • RubyRuby
  • RustRust
  • ScalaScala
  • ShellShell
  • SwiftSwift
  • TerraformTerraform
  • TextText
  • TypeScriptTypeScript
  • T-SQLT-SQL
  • VB.NETVB.NET
  • VB6VB6
  • XMLXML
  • YAMLYAML
Text

Text static code analysis

Unique rules to find Security Hotspots and Offensive Text in any files

  • All rules 3
  • Security Hotspot2
  • Code Smell1
Filtered: 2 rules found
cwe
    Impact
      Clean code attribute
        1. Using Unicode tag blocks is security-sensitive

           Security Hotspot
        2. Using bidirectional characters is security-sensitive

           Security Hotspot

        Using bidirectional characters is security-sensitive

        intentionality - clear
        security
        Security Hotspot
        • cwe

        Using bidirectional (BIDI) characters can lead to incomprehensible code.

        The Unicode encoding contains BIDI control characters that are used to display text right-to-left (RTL) instead of left-to-right (LTR). This is necessary for certain languages that use RTL text. The BIDI characters can be used to create a difference in the code between what a human sees and what a compiler or interpreter sees. An advisary might use this feature to hide a backdoor in the code that will not be spotted by a human reviewer as it is not visible.

        This can lead to supply chain attacks since the backdoored code might persist over a long time without being detected and can even be included in other projects, for example in the case of libraries.

        Ask Yourself Whether

        • This text requires a right-to-left writing system (to use Arabic or Hebrew words, for example).
        • The author of this text is a legitimate user.
        • This text contains a standard instruction, comment or sequence of characters.

        There is a risk if you answered no to any of these questions.

        Recommended Secure Coding Practices

        Open the file in an editor that reveals non-ASCII characters and remove all BIDI control characters that are not intended.

        If hidden characters are illegitimate, this issue could indicate a potential ongoing attack on the code. Therefore, it would be best to warn your organization’s security team about this issue.

        Required opening BIDI characters should be explicitly closed with the PDI character.

        Sensitive Code Example

        A hidden BIDI character is present in front of return:

        def subtract_funds(account: str, amount: int):
            ''' Subtract funds from bank account then ⁧''' ;return
            bank[account] -= amount
            return
        

        The executed code looks like the following:

        def subtract_funds(account: str, amount: int):
            ''' Subtract funds from bank account then <RLI>''' ;return
            bank[account] -= amount
            return
        

        Compliant Solution

        No hidden BIDI characters are present:

        def subtract_funds(account: str, amount: int):
            ''' Subtract funds from bank account then return; '''
            bank[account] -= amount
            return
        

        See

        • Bidirectional Algorithm - Unicode Standard
        • Wikipedia - Bidirectional Text
        • Trojan Source Report
        • Trojan Source Report - IDEs revealing hidden characters
        • CWE - CWE-94 - Improper Control of Generation of Code ('Code Injection')
          Available In:
        • SonarQube CloudDetect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories
        • SonarQube Community BuildAnalyze code in your
          on-premise CI
          Available Since
          9.3
        • SonarQube ServerAnalyze code in your
          on-premise CI
          Developer Edition
          Available Since
          9.3

        © 2008-2025 SonarSource SA. All rights reserved.

        Privacy Policy | Cookie Policy | Terms of Use