diff options
Diffstat (limited to '')
| -rw-r--r-- | bot/exts/info/code_snippets.py | 15 | ||||
| -rw-r--r-- | pyproject.toml | 1 | ||||
| -rw-r--r-- | uv.lock | 2 |
3 files changed, 18 insertions, 0 deletions
diff --git a/bot/exts/info/code_snippets.py b/bot/exts/info/code_snippets.py index 6f67eda3c..1ba4151c7 100644 --- a/bot/exts/info/code_snippets.py +++ b/bot/exts/info/code_snippets.py @@ -5,6 +5,7 @@ from typing import Any from urllib.parse import quote_plus import discord +import yarl from aiohttp import ClientResponseError from discord.ext.commands import Cog @@ -272,6 +273,20 @@ class CodeSnippets(Cog): for pattern, handler in self.pattern_handlers: for match in pattern.finditer(content): + # ensure that the matched URL meets url normalization rules. + # parsing an absolute url with yarl resolves all parent urls such as `/../`, + # we then check the regex again to make sure our groups stay the same + unsanitized = match.group(0) + normalized = str(yarl.URL(unsanitized)) + if normalized != unsanitized: + match = pattern.fullmatch(normalized) + if not match: + log.info( + "Received code snippet url %s which " + "attempted to circumvent url normalisation.", + unsanitized + ) + continue try: result = await handler(**match.groupdict()) except ClientResponseError as error: diff --git a/pyproject.toml b/pyproject.toml index e58ea4a50..65d6ab42a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -25,6 +25,7 @@ dependencies = [ "sentry-sdk==2.22.0", "tenacity==9.0.0", "tldextract==5.1.3", + "yarl==1.22.0", ] name = "bot" version = "1.0.1" @@ -205,6 +205,7 @@ dependencies = [ { name = "sentry-sdk" }, { name = "tenacity" }, { name = "tldextract" }, + { name = "yarl" }, ] [package.dev-dependencies] @@ -242,6 +243,7 @@ requires-dist = [ { name = "sentry-sdk", specifier = "==2.22.0" }, { name = "tenacity", specifier = "==9.0.0" }, { name = "tldextract", specifier = "==5.1.3" }, + { name = "yarl", specifier = ">=1.22.0" }, ] [package.metadata.requires-dev] |