From 1c28dfc54e954c07e93bc27bccfc407a66a6819f Mon Sep 17 00:00:00 2001
From: arielle <me@arielle.codes>
Date: Mon, 13 Oct 2025 13:48:35 -0400
Subject: [PATCH] Implement URL normalization in code snippet handler

Add URL normalization checks using yarl in code snippets.
---
 bot/exts/info/code_snippets.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/bot/exts/info/code_snippets.py b/bot/exts/info/code_snippets.py
index 6f67eda3cb..0d890a8530 100644
--- a/bot/exts/info/code_snippets.py
+++ b/bot/exts/info/code_snippets.py
@@ -5,6 +5,7 @@
 from urllib.parse import quote_plus
 
 import discord
+import yarl
 from aiohttp import ClientResponseError
 from discord.ext.commands import Cog
 
@@ -272,6 +273,20 @@ async def _parse_snippets(self, content: str) -> str:
 
         for pattern, handler in self.pattern_handlers:
             for match in pattern.finditer(content):
+                # ensure that the matched URL meets url normalization rules.
+                # parsing with yarl resolves all parent urls such as `/../`,
+                # we then check the regex again to make sure our groups stay the same
+                unsanitized = match.group(0)
+                normalized = str(yarl.URL(unsanitized))
+                if normalized != unsanitized:
+                    match = pattern.fullmatch(normalized)
+                    if not match:
+                        log.info(
+                            "Received code snippet url %s which "
+                            "attempted to circumvent url normalisation.",
+                            unsanitized
+                        )
+                        continue
                 try:
                     result = await handler(**match.groupdict())
                 except ClientResponseError as error: