Implement URL normalization in code snippet handler

onerandomusername · onerandomusername · commit 5aa039845be7 · 2025-10-21T14:49:01.000-04:00
Add URL normalization checks using yarl in code snippets.
diff --git a/bot/exts/info/code_snippets.py b/bot/exts/info/code_snippets.py
@@ -5,6 +5,7 @@
 from urllib.parse import quote_plus
 
 import discord
+import yarl
 from aiohttp import ClientResponseError
 from discord.ext.commands import Cog
 
@@ -272,6 +273,20 @@ async def _parse_snippets(self, content: str) -> str:
 
         for pattern, handler in self.pattern_handlers:
             for match in pattern.finditer(content):
+                # ensure that the matched URL meets url normalization rules.
+                # parsing with yarl resolves all parent urls such as `/../`,
+                # we then check the regex again to make sure our groups stay the same
+                unsanitized = match.group(0)
+                normalized = str(yarl.URL(unsanitized))
+                if normalized != unsanitized:
+                    match = pattern.fullmatch(normalized)
+                    if not match:
+                        log.info(
+                            "Received code snippet url %s which "
+                            "attempted to circumvent url normalisation.",
+                            unsanitized
+                        )
+                        continue
                 try:
                     result = await handler(**match.groupdict())
                 except ClientResponseError as error:
