Impact

The botcore.utils.regex.DISCORD_INVITE function was designed to capture all alphanumeric characters after the slash in a Discord invite, but on some platforms, Discord renders or links different communities based on the content after a second slash. For instance, https://discord.gg/python/new_community could link to new_community on some platforms. The utility would only see the python portion.

This advisory only affects users of the function above.

Patches

This has been fixed by 47936d5 in v7.0.0. Upgrading to the latest version is the recommended fix.

When upgrading, please pay attention to the following change:

Breaking: Discord invite regex no longer returns a URL safe result, refer to documentation for safely handling it.

Workarounds

To avoid this bug without upgrading the library version, you can use the following patched version directly in your code:

import re

DISCORD_INVITE = re.compile(
    r"(discord([.,]|dot)gg|"                     # Could be discord.gg/
    r"discord([.,]|dot)com(/|slash)invite|"      # or discord.com/invite/
    r"discordapp([.,]|dot)com(/|slash)invite|"   # or discordapp.com/invite/
    r"discord([.,]|dot)me|"                      # or discord.me
    r"discord([.,]|dot)li|"                      # or discord.li
    r"discord([.,]|dot)io|"                      # or discord.io.
    r"((?<!\w)([.,]|dot))gg"                     # or .gg/
    r")([/]|slash)"                              # / or 'slash'
    r"(?P<invite>\S+)",               # the invite code itself
    flags=re.IGNORECASE
)

For more information

If you have any questions or comments about this advisory:

• Open an issue in the issues tab.
• Refer to our security policy to report any sensitive bugs or vulnerabilities.

Credits

Thanks to @onerandomusername for reporting this vulnerability.
And thanks to @GDWR for providing a fix.