Hacked in URL verification without visiting

This commit is contained in:
Casey 2024-03-17 13:41:36 +03:00
parent a7d0e5aff2
commit 92a0689eb6
Signed by: hkc
GPG Key ID: F0F6CFE11CDB0960
2 changed files with 21 additions and 8 deletions

View File

@ -15,7 +15,8 @@ from nfuck.utils import sanitize_link
dp = Dispatcher() dp = Dispatcher()
SILENT_REMOVAL_IDS: set[int] = set(list(map(int, getenv("SILENT_REMOVAL_IDS", "").split(",")))) SILENT_REMOVAL_IDS: set[int] = set(list(map(int, filter(lambda v: v, getenv("SILENT_REMOVAL_IDS", "").split(",")))))
@dp.message(Command("check")) @dp.message(Command("check"))
async def on_check(message: Message): async def on_check(message: Message):
@ -66,8 +67,12 @@ async def on_message(message: Message):
if confidence > 0.9: if confidence > 0.9:
detected_links.append((entity.url, confidence)) detected_links.append((entity.url, confidence))
if detected_links: if detected_links:
await message.delete()
if message.from_user and message.chat.id not in SILENT_REMOVAL_IDS: if message.from_user and message.chat.id not in SILENT_REMOVAL_IDS:
msg = await message.reply( if not message.bot:
raise RuntimeError("what")
msg = await message.bot.send_message(
message.chat.id,
str.join( str.join(
"\n", "\n",
[ [
@ -82,13 +87,11 @@ async def on_message(message: Message):
], ],
), ),
f"Sender: {message.from_user.full_name} #{message.from_user.id} (@{message.from_user.username})", f"Sender: {message.from_user.full_name} #{message.from_user.id} (@{message.from_user.username})",
"(message will be deleted in 10 seconds)" "(message will be deleted in 10 seconds)",
"False positive? Report <a href=\"https://forms.gle/cwj565M3y928M47g7\">here</a>!"
], ],
), ),
parse_mode="html", parse_mode="html",
) )
await message.delete()
await sleep(10) await sleep(10)
await msg.delete() await msg.delete()
else:
await message.delete()

View File

@ -16,6 +16,10 @@ USER_AGENT = [
"Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0" "Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0"
] ]
URL_PATTERNS: list[tuple[float, Pattern, str]] = [
(10.0, regexp(r"https://t.me/\w+[bB]ot/claim"), "Telegram Bot claim link")
]
REGEX_PATTERNS: list[tuple[float, Pattern, str]] = [ REGEX_PATTERNS: list[tuple[float, Pattern, str]] = [
(1.0, regexp(r"\bp2e\b", IGNORECASE), "Play-to-earn keyword"), (1.0, regexp(r"\bp2e\b", IGNORECASE), "Play-to-earn keyword"),
(5.0, regexp(r"play\-to\-earn", IGNORECASE), "Play-to-earn directly"), (5.0, regexp(r"play\-to\-earn", IGNORECASE), "Play-to-earn directly"),
@ -32,7 +36,8 @@ REGEX_PATTERNS: list[tuple[float, Pattern, str]] = [
(3.0, regexp(r"A collection of \w+ NFTs", IGNORECASE), "Collection of [some] NFTs"), (3.0, regexp(r"A collection of \w+ NFTs", IGNORECASE), "Collection of [some] NFTs"),
] ]
MAX_SCORE = sum(t[0] for t in REGEX_PATTERNS) MAX_REGEX_SCORE = 30 # sum(t[0] for t in REGEX_PATTERNS)
MAX_URL_SCORE = 10
def explain_verification(content: str) -> list[tuple[float, str, Match]]: def explain_verification(content: str) -> list[tuple[float, str, Match]]:
@ -56,6 +61,11 @@ async def verify_link(url: str) -> float:
if any(fnmatch(domain, pat) for pat in DOMAIN_WHITELIST): if any(fnmatch(domain, pat) for pat in DOMAIN_WHITELIST):
logger.info("Score for %r: 0 (whitelisted domain)", url) logger.info("Score for %r: 0 (whitelisted domain)", url)
return 0 return 0
for score, regex, explanation in REGEX_PATTERNS:
for match in regex.finditer(url):
total_score += score
if total_score >= MAX_REGEX_SCORE:
return total_score / MAX_REGEX_SCORE
async with AsyncClient( async with AsyncClient(
headers={"User-Agent": get_random_useragent()} headers={"User-Agent": get_random_useragent()}
) as client: ) as client:
@ -64,4 +74,4 @@ async def verify_link(url: str) -> float:
logger.debug("%s: %s at %d", url, explanation, match.start()) logger.debug("%s: %s at %d", url, explanation, match.start())
total_score += score total_score += score
logger.info("Score for %r: %f", url, total_score) logger.info("Score for %r: %f", url, total_score)
return total_score / MAX_SCORE return total_score / MAX_REGEX_SCORE