From 5c4c281f05c23588e579740542a6bda0ccbd44f9 Mon Sep 17 00:00:00 2001
From: Rapptz <rapptz@gmail.com>
Date: Sat, 23 Nov 2024 21:48:45 -0500
Subject: [PATCH] Sanitize invite argument before calling the invite info
 endpoint

Fixes a potential path traversal bug that can lead you to superfluously
and erroneously call a separate endpoint.
---
 discord/utils.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/discord/utils.py b/discord/utils.py
index 5d898b38bd34..905735cfb406 100644
--- a/discord/utils.py
+++ b/discord/utils.py
@@ -868,6 +868,12 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
     invite: Union[:class:`~discord.Invite`, :class:`str`]
         The invite.
 
+    Raises
+    -------
+    ValueError
+        The invite is not a valid Discord invite, e.g. is not a URL
+        or does not contain alphanumeric characters.
+
     Returns
     --------
     :class:`.ResolvedInvite`
@@ -887,7 +893,12 @@ def resolve_invite(invite: Union[Invite, str]) -> ResolvedInvite:
             event_id = url.query.get('event')
 
             return ResolvedInvite(code, int(event_id) if event_id else None)
-    return ResolvedInvite(invite, None)
+
+        allowed_characters = r'[a-zA-Z0-9\-_]+'
+        if not re.fullmatch(allowed_characters, invite):
+            raise ValueError('Invite contains characters that are not allowed')
+
+        return ResolvedInvite(invite, None)
 
 
 def resolve_template(code: Union[Template, str]) -> str: