Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

New Rule: disallow bidirectional control characters and homoglyphs to mitigate trojan source attacks

See original GitHub issue

Rule details

disallow bidirectional control characters and homoglyphs in source code to mitigate CVE-2021-42574 and CVE-2021-42694

Related ECMAScript feature

Not a new feature, but to specifically disable certain characters supported by

What type of rule is this?

Warns about a potential problem

Example code

// From the trojan source paper:

var accessLevel = "user";
if (accessLevel != "user{U+202E} {U+2066}// Check if admin{U+2069} {U+2066}") {
  console.log("You are an admin");

// Replacing {U+NNNN} in the code above with actual code points NNNN,
// the code would be rendered in bidirectional-aware tools as

if (accessLevel != "user") { // Check if admin
  console.log("You are an admin");

// Another variant (CVE-2021-42694) is to use homoglyphs
// (characters that look similar) to, for example, declare a
// function with a name different from what one might expect
function sayHello() {
  console.log("Hello, World!");

// Replacing H(U+0048) above with Н(U+041D) would declare a
// different function, even though they look visually similar.
function sayНello() {
  console.log("Goodbye, World!");

// This invokes the second function even though it appears to
// be calling the first one.

Why should this rule be in the core instead of a plugin?

These vuneralbilities have a relatively wide security impact affecting multiple programming languages, adding it in core would help promote awareness of these issues and reduce the risks in the JS ecosystem while the JS engines work out a fix or other alternatives to mitigate this.


  • I am willing to submit a pull request to implement this rule.

Additional comments

More information about these attacks can be found at Also see the security announcement by Node.js:

Blog by the rust team about CVE-2021-42574:

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:6
  • Comments:22 (11 by maintainers)

github_iconTop GitHub Comments

nzakascommented, Nov 11, 2021

@mhofman i like this approach, though the team feels that the core isn’t the correct home for these rules. I’m talking with the eslint-plugin-security folks to see about getting that project restarted, as I think that would be the best home for such rules.

nzakascommented, Oct 27, 2022

Yes, sorry, way too much going on. If you wouldn’t mind, you can suggest security related rules here:

Still trying to get back around to fixing up that plugin but it’s the right place for rules like these.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to effectively detect and mitigate Trojan Source attacks in ...
The paper describes several types of abusing bidirectional control characters to inject malicious code into source: Commenting-Out, Stretched ...
Read more >
Prevent Trojan Source attacks with GCC 12 - Red Hat Developer
The issue here is that Unicode's rules for bidirectional text work at the level of paragraphs and lines, whereas C's tokenization rules are ......
Read more >
Mitigating Trojan Source attacks - Soteri Documentation
Bitbucket's mitigation for Trojan Source attacks highlights the hidden characters for reviewers. But what if you want to prevent these ...
Read more >
Trojan Source: tricks (no treats) with Unicode -
For the most part, the homoglyph attack was displayed as "expected" (i.e. confusingly) on nearly all, while the bidirectional attack was ...
Read more >
Trojan Source attack invisibly threatens code ... - The Register
Bidirectional character attack – simple and nightmarish ... Updated The way Unicode's UTF-8 text encoding handles different languages could be ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found