Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-j8c3-8x46-8pp6
* Don't Exit Token Filtering Early On URLs

The token filtering function would exit early if it detected a URL
within the message, but it made no extra checks to ensure there weren't
other tokens within that message that would trigger it. This made
sense when the filtering logic was written, but it's been modified since
to introduce this bug.

Regression tests included.

Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>

* Links Advisory In Token Filter Tests

Adds a link to the advisory with reasoning for the existence of the
 test.

Signed-off-by: Hassan Abouelela <hassan@hassanamr.com>
  • Loading branch information
HassanAbouelela committed Nov 5, 2021
1 parent 69fdd36 commit 6739029
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 4 deletions.
4 changes: 0 additions & 4 deletions bot/exts/filters/filtering.py
Expand Up @@ -496,10 +496,6 @@ async def _has_watch_regex_match(self, text: str) -> Tuple[Union[bool, re.Match]

text = self.clean_input(text)

# Make sure it's not a URL
if URL_RE.search(text):
return False, None

watchlist_patterns = self._get_filterlist_items('filter_token', allowed=False)
for pattern in watchlist_patterns:
match = re.search(pattern, text, flags=re.IGNORECASE)
Expand Down
40 changes: 40 additions & 0 deletions tests/bot/exts/filters/test_filtering.py
@@ -0,0 +1,40 @@
import unittest
from unittest.mock import patch

from bot.exts.filters import filtering
from tests.helpers import MockBot, autospec


class FilteringCogTests(unittest.IsolatedAsyncioTestCase):
"""Tests the `Filtering` cog."""

def setUp(self):
"""Instantiate the bot and cog."""
self.bot = MockBot()
with patch("bot.utils.scheduling.create_task", new=lambda task, **_: task.close()):
self.cog = filtering.Filtering(self.bot)

@autospec(filtering.Filtering, "_get_filterlist_items", pass_mocks=False, return_value=["TOKEN"])
async def test_token_filter(self):
"""Ensure that a filter token is correctly detected in a message."""
messages = {
"": False,
"no matches": False,
"TOKEN": True,

# See advisory https://github.com/python-discord/bot/security/advisories/GHSA-j8c3-8x46-8pp6
"https://google.com TOKEN": True,
"https://google.com something else": False,
}

for message, match in messages.items():
with self.subTest(input=message, match=match):
result, _ = await self.cog._has_watch_regex_match(message)

self.assertEqual(
match,
bool(result),
msg=f"Hit was {'expected' if match else 'not expected'} for this input."
)
if result:
self.assertEqual("TOKEN", result.group())

0 comments on commit 6739029

Please sign in to comment.