2 files changed, 46 insertions, 0 deletions

diff --git a/.github/workflows/unicode-check.yml b/.github/workflows/unicode-check.yml
new file mode 100644
index 0000000000..9cfd35ca12
--- /dev/null
+++ b/.github/workflows/unicode-check.yml
@@ -0,0 +1,17 @@
+name: Bidirectional Unicode scan
+on:
+    push:
+    # Request manually from the Actions tab
+    workflow_dispatch:
+jobs:
+    build-linux:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@v2
+
+            - name: Checkout submodules
+              run: git submodule update --init
+
+            - name: Scan for code points
+              run: ./ci/check-trojan-source.sh
diff --git a/ci/check-trojan-source.sh b/ci/check-trojan-source.sh
new file mode 100755
index 0000000000..7b18ad4952
--- /dev/null
+++ b/ci/check-trojan-source.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# This script scans text and source code for bidirectional Unicode characters.
+# See CVE-2021-42574. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574
+# UTF-8 encoding is assumed.
+
+set -eu
+
+export LC_ALL=en_US.UTF-8
+
+cd "$( dirname "${BASH_SOURCE[0]}" )/.."
+
+FILES=()
+while IFS='' read -r line; do FILES+=("$line"); done < <( find . -type f -exec grep -Il . {} + )
+
+CODEPOINT_REGEX=$( printf "\u202a\|\u202b\|\u202c\|\u202d\|\u202e\|\u2066\|\u2067\|\u2068\|\u2069" )
+
+matched=0
+
+echo "Scanning files: ${FILES[*]}"
+
+for file in "${FILES[@]}"; do
+    if grep -q "${CODEPOINT_REGEX}" "$file"; then
+        echo "Found code points in $file"
+        matched=1
+    fi
+done
+
+exit $matched