Merge pull request from GHSA-xq5g-8594-cfxp

Advisory fix 1

2 files changed, 55 insertions, 1 deletions

diff --git a/botcore/utils/regex.py b/botcore/utils/regex.py
index abcaf299..8eb38ba2 100644
--- a/botcore/utils/regex.py
+++ b/botcore/utils/regex.py
@@ -11,13 +11,17 @@ DISCORD_INVITE = re.compile(
     r"discord([.,]|dot)io|"                      # or discord.io.
     r"((?<!\w)([.,]|dot))gg"                     # or .gg/
     r")([/]|slash)"                              # / or 'slash'
-    r"(?P<invite>[a-zA-Z0-9\-]+)",               # the invite code itself
+    r"(?P<invite>\S+)",                          # the invite code itself
     flags=re.IGNORECASE
 )
 """
 Regex for Discord server invites.
 
 :meta hide-value:
+.. warning::
+    This regex pattern will capture until a whitespace, if you are to use the 'invite' capture group in
+    any HTTP requests or similar. Please ensure you sanitise the output using something similar to
+    https://docs.python.org/3/library/urllib.parse.html#urllib.parse.quote.
 """
 
 FORMATTED_CODE_REGEX = re.compile(
diff --git a/tests/botcore/utils/test_regex.py b/tests/botcore/utils/test_regex.py
new file mode 100644
index 00000000..2ffd0e46
--- /dev/null
+++ b/tests/botcore/utils/test_regex.py
@@ -0,0 +1,50 @@
+import unittest
+from typing import Optional
+
+from botcore.utils.regex import DISCORD_INVITE
+
+
+def use_regex(s: str) -> Optional[str]:
+    """Helper function to run the Regex on a string.
+
+    Return the invite capture group, if the string matches the pattern
+        else return None
+    """
+    result = DISCORD_INVITE.search(s)
+    return result if result is None else result.group("invite")
+
+
+class UtilsRegexTests(unittest.TestCase):
+
+    def test_discord_invite_positives(self):
+        """Test the DISCORD_INVITE regex on a set of strings we would expect to capture."""
+
+        self.assertEqual(use_regex("discord.gg/python"), "python")
+        self.assertEqual(use_regex("https://discord.gg/python"), "python")
+        self.assertEqual(use_regex("discord.com/invite/python"), "python")
+        self.assertEqual(use_regex("discordapp.com/invite/python"), "python")
+        self.assertEqual(use_regex("discord.me/python"), "python")
+        self.assertEqual(use_regex("discord.li/python"), "python")
+        self.assertEqual(use_regex("discord.io/python"), "python")
+        self.assertEqual(use_regex(".gg/python"), "python")
+
+        self.assertEqual(use_regex("discord.gg/python/but/extra"), "python/but/extra")
+        self.assertEqual(use_regex("discord.me/this/isnt/python"), "this/isnt/python")
+        self.assertEqual(use_regex(".gg/a/a/a/a/a/a/a/a/a/a/a"), "a/a/a/a/a/a/a/a/a/a/a")
+        self.assertEqual(use_regex("discordapp.com/invite/python/snakescord"), "python/snakescord")
+        self.assertEqual(use_regex("http://discord.gg/python/%20/notpython"), "python/%20/notpython")
+        self.assertEqual(use_regex("discord.gg/python?=ts/notpython"), "python?=ts/notpython")
+        self.assertEqual(use_regex("https://discord.gg/python#fragment/notpython"), "python#fragment/notpython")
+        self.assertEqual(use_regex("https://discord.gg/python/~/notpython"), "python/~/notpython")
+
+        self.assertEqual(use_regex("https://discord.gg/python with whitespace"), "python")
+        self.assertEqual(use_regex(" https://discord.gg/python "), "python")
+
+    def test_discord_invite_negatives(self):
+        """Test the DISCORD_INVITE regex on a set of strings we would expect to not capture."""
+
+        self.assertEqual(use_regex("another string"), None)
+        self.assertEqual(use_regex("https://pythondiscord.com"), None)
+        self.assertEqual(use_regex("https://discord.com"), None)
+        self.assertEqual(use_regex("https://discord.gg"), None)
+        self.assertEqual(use_regex("https://discord.gg/ python"), None)