Description
Description
The client side percent-decoding allows for seemingly bypassing some automod rules.
I don't really see an easy fix for this, besides completely disabling percent-decoding on the client (which is mostly a cool feature) or enabling percent-decoding on the automod side, which I feel like is probably going to slow it down and therefore slow down sending messages?
Steps to Reproduce
-
Use this regular expression
[^\x00-\x7F]for example on the automod configuration, which basically flags anything that isn't on a qwerty keyboard. -
Try sending
тест обхода антомодаor maybeבדיקת מעקפיםin chat. It doesn't work, great success! -
Percent encode the same text with this tool for example https://www.url-encode-decode.com/
Which gives:
%D1%82%D0%B5%D1%81%D1%82+%D0%BE%D0%B1%D1%85%D0%BE%D0%B4%D0%B0+%D0%B0%D0%BD%D1%82%D0%BE%D0%BC%D0%BE%D0%B4%D0%B0forтест обхода антомода
and
%D7%91%D7%93%D7%99%D7%A7%D7%AA+%D7%9E%D7%A2%D7%A7%D7%A4%D7%99%D7%9Dforבדיקת מעקפים -
Now, just type in a fake url like
https://bogus.website/and append the percent-encoded text behind that. -
Hit Send. Uh oh, the client automatically decoded the percent encoded text, you've successfully bypassed the aforementioned regular expression.
Expected Behavior
The client shouldn't render content that matches the current regex filters.
Current Behavior
Since the client does the percent-decoding, there is no server check to make sure that the decoded content doesn't match the regex. Which allows you to use URLs as a means of sending automoded content.
Screenshots/Videos
Video: https://github.com/discord/discord-api-docs/assets/65200640/b9e568c4-3793-489a-a277-0f5ef5fd7f9e
Client and System Information
Any client on any platform newer than the date of this fix: #6239 (comment)