liz/PluralKit
liz/PluralKit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(webhooks): don't allow Discord webhook URLs

Browse Source
This commit is contained in:
spiral 2021-11-19 15:54:39 -05:00
parent 75c35b7f85
commit 40dbf7dad6
No known key found for this signature in database
GPG Key ID: A6059F0CA0E1BD31
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
PluralKit.Bot/Commands/Api.cs
View File

@ -1,3 +1,4 @@
using System.Text.RegularExpressions;
using System.Threading.Tasks;
using Myriad.Extensions;
@ -13,6 +14,7 @@ namespace PluralKit.Bot
{
private readonly ModelRepository _repo;
private readonly DispatchService _dispatch;
private static readonly Regex _webhookRegex = new(@"https://(?:\\w+.)?discord(?:app)?.com/api(?:/v.*)?/webhooks/(.*)");
public Api(ModelRepository repo, DispatchService dispatch)
{
_repo = repo;
@ -121,6 +123,9 @@ namespace PluralKit.Bot
if (!await DispatchExt.ValidateUri(newUrl))
throw new PKError($"The URL {newUrl.AsCode()} is invalid or I cannot access it. Are you sure this is a valid, publicly accessible URL?");
if (_webhookRegex.IsMatch(newUrl))
throw new PKError("PluralKit does not currently support setting a Discord webhook URL as your system's webhook URL.");
var newToken = StringUtils.GenerateToken();
await _repo.UpdateSystem(ctx.System.Id, new()