When a non-blacklisted URL and an otherwise triggering filter token is included in the same message (for example, https://pydis.com and 卍) the token filter does not trigger. This means that by including any non-blacklisted URL moderation filters can be bypassed.
Credit to @Akarys42 for this following brief
Reason
The following lines seem to be the culprit
|
# Make sure it's not a URL |
|
if URL_RE.search(text): |
|
return False, None |
Those lines cause the _has_watch_regex_match function to exit early if the message contains a url. This three years old line has been dragged through four commits, and it's utility seems to not have been questioned. It has only become an issue once we made the regex filter before the domain one, 10 months ago.
Bug history
TizzySaurus Analyst
HassanAbouelela Analyst
Akarys42 Analyst
When a non-blacklisted URL and an otherwise triggering filter token is included in the same message (for example,
https://pydis.comand卍) the token filter does not trigger. This means that by including any non-blacklisted URL moderation filters can be bypassed.Credit to @Akarys42 for this following brief
Reason
The following lines seem to be the culprit
bot/bot/exts/filters/filtering.py
Lines 499 to 501 in e795914
Those lines cause the
_has_watch_regex_matchfunction to exit early if the message contains a url. This three years old line has been dragged through four commits, and it's utility seems to not have been questioned. It has only become an issue once we made the regex filter before the domain one, 10 months ago.Bug history