Skip to content

Commit 6739029

Browse files
Merge pull request from GHSA-j8c3-8x46-8pp6
* Don't Exit Token Filtering Early On URLs The token filtering function would exit early if it detected a URL within the message, but it made no extra checks to ensure there weren't other tokens within that message that would trigger it. This made sense when the filtering logic was written, but it's been modified since to introduce this bug. Regression tests included. Signed-off-by: Hassan Abouelela <hassan@hassanamr.com> * Links Advisory In Token Filter Tests Adds a link to the advisory with reasoning for the existence of the test. Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
1 parent 69fdd36 commit 6739029

File tree

2 files changed

+40
-4
lines changed

2 files changed

+40
-4
lines changed

Diff for: bot/exts/filters/filtering.py

-4
Original file line numberDiff line numberDiff line change
@@ -496,10 +496,6 @@ async def _has_watch_regex_match(self, text: str) -> Tuple[Union[bool, re.Match]
496496

497497
text = self.clean_input(text)
498498

499-
# Make sure it's not a URL
500-
if URL_RE.search(text):
501-
return False, None
502-
503499
watchlist_patterns = self._get_filterlist_items('filter_token', allowed=False)
504500
for pattern in watchlist_patterns:
505501
match = re.search(pattern, text, flags=re.IGNORECASE)

Diff for: tests/bot/exts/filters/test_filtering.py

+40
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
import unittest
2+
from unittest.mock import patch
3+
4+
from bot.exts.filters import filtering
5+
from tests.helpers import MockBot, autospec
6+
7+
8+
class FilteringCogTests(unittest.IsolatedAsyncioTestCase):
9+
"""Tests the `Filtering` cog."""
10+
11+
def setUp(self):
12+
"""Instantiate the bot and cog."""
13+
self.bot = MockBot()
14+
with patch("bot.utils.scheduling.create_task", new=lambda task, **_: task.close()):
15+
self.cog = filtering.Filtering(self.bot)
16+
17+
@autospec(filtering.Filtering, "_get_filterlist_items", pass_mocks=False, return_value=["TOKEN"])
18+
async def test_token_filter(self):
19+
"""Ensure that a filter token is correctly detected in a message."""
20+
messages = {
21+
"": False,
22+
"no matches": False,
23+
"TOKEN": True,
24+
25+
# See advisory https://github.com/python-discord/bot/security/advisories/GHSA-j8c3-8x46-8pp6
26+
"https://google.com TOKEN": True,
27+
"https://google.com something else": False,
28+
}
29+
30+
for message, match in messages.items():
31+
with self.subTest(input=message, match=match):
32+
result, _ = await self.cog._has_watch_regex_match(message)
33+
34+
self.assertEqual(
35+
match,
36+
bool(result),
37+
msg=f"Hit was {'expected' if match else 'not expected'} for this input."
38+
)
39+
if result:
40+
self.assertEqual("TOKEN", result.group())

0 commit comments

Comments
 (0)