Disallow LTR, RTL & co. characters in comments

[maja42]

There's a new source code vulnerability (CVE-2021-42574) that also affects go source code, where attackers can manipulate comment strings to change the behaviour of an application in a way a reviewer will not easily recognize.
This is especially true for a statically compiled language like go, where developers are supposed to review their dependencies before they use it.

It's called "Trojan Source" and is explained here: https://trojansource.codes/
The page also links to the paper, showing the affected unicode characters.

POC: https://play.golang.org/p/UhpMaSsCgth

There was already a comment added here recently, but I think this vulnerability deserves it's own issue: #20209 (comment)

I suggest disallowing such characters in comment strings (or anywhere outside string literals), or - if possible - allowing them, as long as they only affect the content within their own scope/comment to continue support for other locales.
The alternative is for developers to depend on their IDEs/editors/review-tools to display such characters as problematic. Maybe the go playground should do the same?

Note that github already marks such files as potentially dangerous: https://github.com/nickboucher/trojan-source/blob/main/Go/commenting-out.go

Does this issue reproduce with the latest release?

yes

[karalabe]

This report is an exact duplicate of the thread you linked #20209

[seankhliao]

Duplicate of #20209

[komuw]

https://blog.rust-lang.org/2021/11/01/cve-2021-42574.html