Scans locale files for translated-string security defects: Unicode bidi overrides, XSS payloads, and format/interpolation placeholder drift.
Project description
i18n-security-lint
A command-line tool and CI action that scans locale files for security defects introduced through unreviewed translated strings.
It checks the four vulnerability classes documented in the parent repository's Security Scope:
- Unicode bidirectional override attacks — Right-to-left control characters
(
U+202A–U+202E,U+2066–U+2069) that make displayed text differ from actual file content. - Cross-site scripting (XSS) in rendered locale content — HTML/script fragments embedded in translated strings.
- Format-specifier tampering — added, removed, or renamed placeholders
(
%s,{0},{{variable}}) that cause crashes or undefined behaviour. - Interpolation-variable integrity failures — variable names renamed or omitted during translation, breaking string interpolation.
Supported formats
| Format | Extension | Source pair used for checks 3–4 |
|---|---|---|
| JSON | .json |
translation-only (checks 1–2) |
| gettext | .po |
msgid → msgstr (all checks) |
| XLIFF | .xliff, .xlf |
<target> text (checks 1–2) |
| Fluent | .ftl |
key = value (checks 1–2) |
Install
pip install -e .
Usage
# Scan one or more locale files
i18n-security-lint locale/*.po
# Scan a directory recursively, emit JSON, fail CI on any finding
i18n-security-lint --json --strict locale/
Exit code is 1 when --strict is set and at least one finding is reported,
so the tool drops straight into a CI pipeline.
GitHub Action
- uses: ecogetaway/oss-language-inclusion/tools/i18n-security-lint@main
with:
path: locale/
Status
Working scaffolding. All four checks are implemented: bidi and XSS for every
supported format, format-specifier and interpolation-variable drift for .po
source/translation pairs. The test suite covers each check across JSON, gettext,
XLIFF, and Fluent corpus files, and the repository's CI dogfoods the scanner
against the malicious corpus on every push (it must flag every malicious file
and pass the clean one). This is the flagship security deliverable of the Open
Source Language Inclusion initiative, demonstrated as required.
Known limitations: detection is pattern-based, not parser-accurate — see the repository's SECURITY.md for scope and how to report bypasses.
License
Apache-2.0 (inherited from the parent repository).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file i18n_security_lint-0.1.0.tar.gz.
File metadata
- Download URL: i18n_security_lint-0.1.0.tar.gz
- Upload date:
- Size: 7.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f32da5ef33d7743e248e7ab0fa03d08890543f20c51c87bcd09849b3cb534fd0
|
|
| MD5 |
5f11c09b4924553c67f4bc303a3824b7
|
|
| BLAKE2b-256 |
82d566efa3c71b82aa4ff81288bd9b8f1a8f9884a9d78b4073c4374e83838de0
|
File details
Details for the file i18n_security_lint-0.1.0-py3-none-any.whl.
File metadata
- Download URL: i18n_security_lint-0.1.0-py3-none-any.whl
- Upload date:
- Size: 6.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
70f85a825ca4df6c407170a02e5fcc1b4de6ab2335f6753c48aaaacd27c0cf24
|
|
| MD5 |
089229e538f7b052ffe0d11f83c76bea
|
|
| BLAKE2b-256 |
e308e8485b1a2e8f0e4e636c28e4c3905c8d79bb4b6c68544c6d072d5de6f86a
|