diff options
| author |  arielle <[email protected]> | 2025-10-13 13:48:35 -0400 |
|---|---|---|
| committer | onerandomusername <[email protected]> | 2025-10-21 14:49:01 -0400 |
| commit | 5aa039845be7f0f972c3f6b622db402790268428 (patch) | |
| tree | 9dc30a4d96ce88c7be9ab9255e43205d3b49e356 | |
| parent | Fix incorrect variable used in mentions logic (diff) | |
Implement URL normalization in code snippet handler
Add URL normalization checks using yarl in code snippets.
| -rw-r--r-- | bot/exts/info/code_snippets.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/bot/exts/info/code_snippets.py b/bot/exts/info/code_snippets.py index 6f67eda3c..0d890a853 100644 --- a/bot/exts/info/code_snippets.py +++ b/bot/exts/info/code_snippets.py @@ -5,6 +5,7 @@ from typing import Any from urllib.parse import quote_plus import discord +import yarl from aiohttp import ClientResponseError from discord.ext.commands import Cog @@ -272,6 +273,20 @@ class CodeSnippets(Cog): for pattern, handler in self.pattern_handlers: for match in pattern.finditer(content): + # ensure that the matched URL meets url normalization rules. + # parsing with yarl resolves all parent urls such as `/../`, + # we then check the regex again to make sure our groups stay the same + unsanitized = match.group(0) + normalized = str(yarl.URL(unsanitized)) + if normalized != unsanitized: + match = pattern.fullmatch(normalized) + if not match: + log.info( + "Received code snippet url %s which " + "attempted to circumvent url normalisation.", + unsanitized + ) + continue try: result = await handler(**match.groupdict()) except ClientResponseError as error: |