Merge pull request #3409 from onerandomusername/patch-1

Implement URL normalization in code snippet handler

Author: wookie184

bot/exts/info/code_snippets.py

@@ -5,6 +5,7 @@
 from urllib.parse import quote_plus
 
 import discord
+import yarl
 from aiohttp import ClientResponseError
 from discord.ext.commands import Cog
 
@@ -272,6 +273,20 @@ async def _parse_snippets(self, content: str) -> str:
 
         for pattern, handler in self.pattern_handlers:
             for match in pattern.finditer(content):
+                # ensure that the matched URL meets url normalization rules.
+                # parsing an absolute url with yarl resolves all parent urls such as `/../`,
+                # we then check the regex again to make sure our groups stay the same
+                unsanitized = match.group(0)
+                normalized = str(yarl.URL(unsanitized))
+                if normalized != unsanitized:
+                    match = pattern.fullmatch(normalized)
+                    if not match:
+                        log.info(
+                            "Received code snippet url %s which "
+                            "attempted to circumvent url normalisation.",
+                            unsanitized
+                        )
+                        continue
                 try:
                     result = await handler(**match.groupdict())
                 except ClientResponseError as error:

pyproject.toml

@@ -25,6 +25,7 @@ dependencies = [
     "sentry-sdk==2.22.0",
     "tenacity==9.0.0",
     "tldextract==5.1.3",
+    "yarl==1.22.0",
 ]
 name = "bot"
 version = "1.0.1"