Sanitize invite argument before calling the invite info endpoint

Fixes a potential path traversal bug that can lead you to superfluously and erroneously call a separate endpoint.
7 months ago · 45a0c26240
1 changed files with 12 additions and 1 deletions
--- a/discord/utils.py
+++ b/discord/utils.py
@ -954,6 +954,12 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
    invite: Union[:class:`~discord.Invite`, :class:`str`]
        The invite.

+    Raises
+    -------
+    ValueError
+        The invite is not a valid Discord invite, e.g. is not a URL
+        or does not contain alphanumeric characters.
+
    Returns
    --------
    :class:`.ResolvedInvite`
@ -973,6 +979,11 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
            event_id = url.query.get('event')

            return ResolvedInvite(code, int(event_id) if event_id else None)
+
+        allowed_characters = r'[a-zA-Z0-9\-_]+'
+        if not re.fullmatch(allowed_characters, invite):
+            raise ValueError('Invite contains characters that are not allowed')
+
        return ResolvedInvite(invite, None)