Skip to main content

Scans locale files for translated-string security defects: Unicode bidi overrides, XSS payloads, and format/interpolation placeholder drift.

Project description

i18n-security-lint

A command-line tool and CI action that scans locale files for security defects introduced through unreviewed translated strings.

It checks the four vulnerability classes documented in the parent repository's Security Scope:

  1. Unicode bidirectional override attacks — Right-to-left control characters (U+202AU+202E, U+2066U+2069) that make displayed text differ from actual file content.
  2. Cross-site scripting (XSS) in rendered locale content — HTML/script fragments embedded in translated strings.
  3. Format-specifier tampering — added, removed, or renamed placeholders (%s, {0}, {{variable}}) that cause crashes or undefined behaviour.
  4. Interpolation-variable integrity failures — variable names renamed or omitted during translation, breaking string interpolation.

Supported formats

Format Extension Source pair used for checks 3–4
JSON .json translation-only (checks 1–2)
gettext .po msgidmsgstr (all checks)
XLIFF .xliff, .xlf <target> text (checks 1–2)
Fluent .ftl key = value (checks 1–2)

Install

pip install -e .

Usage

# Scan one or more locale files
i18n-security-lint locale/*.po

# Scan a directory recursively, emit JSON, fail CI on any finding
i18n-security-lint --json --strict locale/

Exit code is 1 when --strict is set and at least one finding is reported, so the tool drops straight into a CI pipeline.

GitHub Action

- uses: ecogetaway/oss-language-inclusion/tools/i18n-security-lint@main
  with:
    path: locale/

Status

Working scaffolding. All four checks are implemented: bidi and XSS for every supported format, format-specifier and interpolation-variable drift for .po source/translation pairs. The test suite covers each check across JSON, gettext, XLIFF, and Fluent corpus files, and the repository's CI dogfoods the scanner against the malicious corpus on every push (it must flag every malicious file and pass the clean one). This is the flagship security deliverable of the Open Source Language Inclusion initiative, demonstrated as required.

Known limitations: detection is pattern-based, not parser-accurate — see the repository's SECURITY.md for scope and how to report bypasses.

License

Apache-2.0 (inherited from the parent repository).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

i18n_security_lint-0.1.0.tar.gz (7.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

i18n_security_lint-0.1.0-py3-none-any.whl (6.8 kB view details)

Uploaded Python 3

File details

Details for the file i18n_security_lint-0.1.0.tar.gz.

File metadata

  • Download URL: i18n_security_lint-0.1.0.tar.gz
  • Upload date:
  • Size: 7.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for i18n_security_lint-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f32da5ef33d7743e248e7ab0fa03d08890543f20c51c87bcd09849b3cb534fd0
MD5 5f11c09b4924553c67f4bc303a3824b7
BLAKE2b-256 82d566efa3c71b82aa4ff81288bd9b8f1a8f9884a9d78b4073c4374e83838de0

See more details on using hashes here.

File details

Details for the file i18n_security_lint-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for i18n_security_lint-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 70f85a825ca4df6c407170a02e5fcc1b4de6ab2335f6753c48aaaacd27c0cf24
MD5 089229e538f7b052ffe0d11f83c76bea
BLAKE2b-256 e308e8485b1a2e8f0e4e636c28e4c3905c8d79bb4b6c68544c6d072d5de6f86a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page