Important control characters aren't rendered when "editor.renderControlCharacters" is set, possibly leading users astray #116939
Description
Issue Type: Bug
Problem
Imagine you're looking at some code in VS Code:
function transferBalance(sender_id, recipient_id, amount, currency) { ⋯ }
transferBalance(5678,6776,4321,"USD");
Ostensibly, this transfers 6,776 USD from sender 5678 to recipient 1234. Right?
Unfortunately, no. Instead, this code hides malicious intent: it actually transfers 4,321 USD from sender 5678 to recipient 6776, stealing sender 5678's money. How is this possible?
Explanation
It's because this code is hiding two special Unicode control characters: U+202E ("right-to-left override") and U+202C ("pop directional formatting"). With explicit insertions, it looks like this:
malicious!
▼▼▼▼▼▼▼▼▼
transferBalance(5678,<U+202E>6776,4321<U+202C>,"USD");
▲▲▲▲▲▲▲▲ ▲▲▲▲▲▲▲▲
🕵sneaky! 🕵sneaky!
In other words, this gives the code the visual appearance of sending 6776 USD to recipient 1234, but that's not what the actual underlying text says; it says to transfer 4,321 USD to recipient 6776. Our editor — what we trust to show us text correctly — has led us into the wrong conclusion.
We can see that the actual bytes of the string in the code example do indeed have these control characters:
Normally the way around this sort of sneakiness is to use View > Show Control Characters. But if you copy the string from the example into VS Code, you won't see these control characters. They aren't rendered at all. How can we make sure these special characters get rendered?
Likely root cause
The bug is in src/vs/editor/common/viewLayout/viewLineRenderer.ts: it assumes a definition of "control character" that amounts to "anything whose character code as determined by String.charCodeAt is in the range U+0000⋯U+001F".
That assumption is incorrect, or at least too narrow to cover this case.
A possible fix
The right definition for control character for purposes of VS Code is probably, at a minimum, "anything in the Cc and Cf Unicode general categories", and not the current definition.
VS Code version: VSCodium 1.52.1 (ea3859d, 2020-12-17T00:37:39.556Z)
OS version: Linux x64 5.8.0-7642-generic
System Info
| Item | Value |
|---|---|
| CPUs | Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (12 x 4000) |
| GPU Status | 2d_canvas: enabled flash_3d: enabled flash_stage3d: enabled flash_stage3d_baseline: enabled gpu_compositing: enabled multiple_raster_threads: enabled_on oop_rasterization: disabled_off opengl: enabled_on protected_video_decode: unavailable_off rasterization: disabled_software skia_renderer: enabled_on video_decode: unavailable_off vulkan: disabled_off webgl: enabled webgl2: enabled |
| Load (avg) | 2, 1, 2 |
| Memory (System) | 62.53GB (8.13GB free) |
| Process Argv | --no-sandbox --unity-launch |
| Screen Reader | no |
| VM | 0% |
| DESKTOP_SESSION | jxf |
| XDG_CURRENT_DESKTOP | Unity |
| XDG_SESSION_DESKTOP | jxf |
| XDG_SESSION_TYPE | x11 |
Extensions (13)
| Extension | Author (truncated) | Version |
|---|---|---|
| toml | be5 | 0.4.0 |
| vscode-todo-plus | fab | 4.17.1 |
| vscode-hugo-snippets | fiv | 0.4.1 |
| markmap-vscode | ger | 0.0.7 |
| vscode-journal-view | Gru | 0.0.26 |
| terraform | has | 2.6.0 |
| solidity | Jua | 0.0.106 |
| vsliveshare | ms- | 1.0.3121 |
| vscode-journal | paj | 0.10.0 |
| rust | rus | 0.7.8 |
| crates | ser | 0.5.6 |
| vscode-mindmap | Sou | 0.0.5 |
| material-theme | zhu | 3.9.15 |
(1 theme extensions excluded)