Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-j8c3-8x46-8pp6
* Don't Exit Token Filtering Early On URLs The token filtering function would exit early if it detected a URL within the message, but it made no extra checks to ensure there weren't other tokens within that message that would trigger it. This made sense when the filtering logic was written, but it's been modified since to introduce this bug. Regression tests included. Signed-off-by: Hassan Abouelela <hassan@hassanamr.com> * Links Advisory In Token Filter Tests Adds a link to the advisory with reasoning for the existence of the test. Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
- Loading branch information
1 parent
69fdd36
commit 6739029
Showing
2 changed files
with
40 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| import unittest | ||
| from unittest.mock import patch | ||
|
|
||
| from bot.exts.filters import filtering | ||
| from tests.helpers import MockBot, autospec | ||
|
|
||
|
|
||
| class FilteringCogTests(unittest.IsolatedAsyncioTestCase): | ||
| """Tests the `Filtering` cog.""" | ||
|
|
||
| def setUp(self): | ||
| """Instantiate the bot and cog.""" | ||
| self.bot = MockBot() | ||
| with patch("bot.utils.scheduling.create_task", new=lambda task, **_: task.close()): | ||
| self.cog = filtering.Filtering(self.bot) | ||
|
|
||
| @autospec(filtering.Filtering, "_get_filterlist_items", pass_mocks=False, return_value=["TOKEN"]) | ||
| async def test_token_filter(self): | ||
| """Ensure that a filter token is correctly detected in a message.""" | ||
| messages = { | ||
| "": False, | ||
| "no matches": False, | ||
| "TOKEN": True, | ||
|
|
||
| # See advisory https://github.com/python-discord/bot/security/advisories/GHSA-j8c3-8x46-8pp6 | ||
| "https://google.com TOKEN": True, | ||
| "https://google.com something else": False, | ||
| } | ||
|
|
||
| for message, match in messages.items(): | ||
| with self.subTest(input=message, match=match): | ||
| result, _ = await self.cog._has_watch_regex_match(message) | ||
|
|
||
| self.assertEqual( | ||
| match, | ||
| bool(result), | ||
| msg=f"Hit was {'expected' if match else 'not expected'} for this input." | ||
| ) | ||
| if result: | ||
| self.assertEqual("TOKEN", result.group()) |