Release prep: 8.0.2

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
   pull_request:
     branches:
       - master
-      - v[0-9]+.[0-9]+.x
+      - v?[0-9]+.[0-9]+.x
 
 jobs:
   tests:
@@ -25,6 +25,7 @@ jobs:
           - "3.10"
           - "3.11"
           - "3.12"
+          - "3.13"
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}

NEWS

@@ -2,6 +2,36 @@ This file is used to auto-generate the "Changelog" section of Sopel's website.
 When adding new entries, follow the style guide in NEWS.spec.md to avoid
 causing problems with the site build.
 
+Changes between 8.0.1 and 8.0.2
+===============================
+
+Plugin changes
+--------------
+
+* safety:
+  * Gracefully handle invalid URLs containing square brackets [[#2646][]]
+* url:
+  * Fix permission check in `.urlban` and related commands [[#2650][]]
+
+Core changes
+------------
+
+* Removed microseconds from `{time_left}` and `{time_left_sec}` values in rate
+  limit `message` output; round up to next second instead [[#2653][]]
+
+Housekeeping changes
+--------------------
+
+* Pin `urllib3` to accommodate our older, forked `vcrpy` in tests [[#2647][]]
+* Update `typing.cast()` usage for stricter linting from `flake8-type-checking`
+  3.x [[#2647][]]
+
+[#2646]: https://github.com/sopel-irc/sopel/pull/2646
+[#2647]: https://github.com/sopel-irc/sopel/pull/2647
+[#2650]: https://github.com/sopel-irc/sopel/pull/2650
+[#2653]: https://github.com/sopel-irc/sopel/pull/2653
+
+
 Changes between 8.0.0 and 8.0.1
 ===============================
 

dev-requirements.txt

@@ -20,6 +20,9 @@ sphinx-rfcsection~=0.1.1
 # use fork of vcrpy 5.x until kevin1024/vcrpy#777 is (hopefully) accepted
 # (or until py3.9 EOL... in 10/2025, I HOPE NOT)
 vcrpy @ git+https://github.com/sopel-irc/vcrpy@uncap-urllib3
+# also have to use a version of urllib3 that doesn't use the `version_string`
+# attr of the response object, because vcrpy won't support it until 7.x
+urllib3<2.3
 # type check
 mypy>=1.3,<2
 # for `pkg_resources`; first version in which it's typed

sopel/bot.py

@@ -8,9 +8,11 @@
 from __future__ import annotations
 
 from ast import literal_eval
+from datetime import timedelta
 import inspect
 import itertools
 import logging
+import math
 import re
 import threading
 import time
@@ -631,7 +633,11 @@ def rate_limit_info(
             return False, None
 
         next_time = metrics.last_time + rate_limit
-        time_left = next_time - at_time
+        time_left = timedelta(
+            seconds=math.ceil(
+                (next_time - at_time).total_seconds()
+            )
+        )
 
         message: Optional[str] = None
 

sopel/builtins/safety.py

@@ -126,11 +126,15 @@ def setup(bot: Sopel) -> None:
 
 def safeify_url(url: str) -> str:
     """Replace bits of a URL to make it hard to browse to."""
-    parts = urlparse(url)
-    scheme = "hxx" + parts.scheme[3:]  # hxxp
-    netloc = parts.netloc.replace(".", "[.]")  # google[.]com and IPv4
-    netloc = netloc.replace(":", "[:]")  # IPv6 addresses (bad lazy method)
-    return urlunparse((scheme, netloc) + parts[2:])
+    try:
+        parts = urlparse(url)
+        scheme = parts.scheme.replace("t", "x")  # hxxp
+        netloc = parts.netloc.replace(".", "[.]")  # google[.]com and IPv4
+        netloc = netloc.replace(":", "[:]")  # IPv6 addresses (bad lazy method)
+        return urlunparse((scheme, netloc) + parts[2:])
+    except ValueError:
+        # Still try to defang URLs that fail parsing
+        return url.replace(":", "[:]").replace(".", "[.]")
 
 
 def download_domain_list(bot: Sopel, path: str) -> bool:
@@ -224,7 +228,6 @@ def url_handler(bot: SopelWrapper, trigger: Trigger) -> None:
     strict = "strict" in mode
 
     for url in tools.web.search_urls(trigger):
-        safe_url = safeify_url(url)
 
         positives = 0  # Number of engines saying it's malicious
         total = 0  # Number of total engines
@@ -249,6 +252,7 @@ def url_handler(bot: SopelWrapper, trigger: Trigger) -> None:
 
         if positives >= 1:
             # Possibly malicious URL detected!
+            safe_url = safeify_url(url)
             LOGGER.info(
                 "Possibly malicious link (%s/%s) posted in %s by %s: %r",
                 positives,
@@ -258,11 +262,10 @@ def url_handler(bot: SopelWrapper, trigger: Trigger) -> None:
                 safe_url,
             )
             bot.say(
-                "{} {} of {} engine{} flagged a link {} posted as malicious".format(
+                "{} {} of {} engines flagged a link {} posted as malicious".format(
                     bold(color("WARNING:", colors.RED)),
                     positives,
                     total,
-                    "" if total == 1 else "s",
                     bold(trigger.nick),
                 )
             )

sopel/builtins/url.py

@@ -62,7 +62,7 @@ class UrlSection(types.StaticSection):
     """A list of regular expressions to match URLs for which the title should not be shown."""
     exclude_required_access = types.ChoiceAttribute(
         'exclude_required_access',
-        choices=privileges.__all__,
+        choices=[level.name for level in privileges.AccessLevel],
         default='OP',
     )
     """Minimum channel access level required to edit ``exclude`` list using chat commands."""
@@ -159,7 +159,7 @@ def _user_can_change_excludes(bot: SopelWrapper, trigger: Trigger) -> bool:
     channel = bot.channels[trigger.sender]
     user_access = channel.privileges[trigger.nick]
 
-    if user_access >= getattr(privileges, required_access):
+    if user_access >= getattr(privileges.AccessLevel, required_access):
         return True
 
     return False

sopel/tools/time.py

@@ -94,7 +94,7 @@ def validate_timezone(zone: Optional[str]) -> str:
     except pytz.exceptions.UnknownTimeZoneError:
         raise ValueError('Invalid time zone.')
 
-    return cast(str, tz.zone)
+    return cast('str', tz.zone)
 
 
 def validate_format(tformat: str) -> str:

sopel/trigger.py

@@ -229,7 +229,7 @@ def __init__(
 
         # The regex will always match any string, even an empty one
         components_match = cast(
-            Match, PreTrigger.component_regex.match(self.hostmask or ''))
+            'Match', PreTrigger.component_regex.match(self.hostmask or ''))
         nick, self.user, self.host = components_match.groups()
         self.nick: Identifier = self.make_identifier(nick)
 

test/builtins/test_builtins_safety.py

@@ -0,0 +1,27 @@
+"""Tests for Sopel's ``safety`` plugin"""
+
+from __future__ import annotations
+
+import pytest
+
+from sopel.builtins.safety import safeify_url
+
+URL_TESTS = (
+    # Valid URLs
+    ("http://example.com", ("hxxp://example[.]com")),
+    ("http://1.2.3.4/mgr.cgi", ("hxxp://1[.]2[.]3[.]4/mgr.cgi")),
+    ("http://[fd00:1234::4321]/", ("hxxp://[fd00[:]1234[:][:]4321]/")),
+    ("ftp://1.2.3.4/", ("fxp://1[.]2[.]3[.]4/")),
+    # Invalid, but parsed anyway
+    ("http://<placeholder>/", ("hxxp://<placeholder>/")),
+    ("http://1.2.3.4.5/", ("hxxp://1[.]2[.]3[.]4[.]5/")),
+    ("http://555.555.555.555/", ("hxxp://555[.]555[.]555[.]555/")),
+    # urllib.urlparse() works on these in python <=3.10 but fails in 3.11
+    ("http://[fd00:::]/", ("hxxp://[fd00[:][:][:]]/", "http[:]//[fd00[:][:][:]]/")),
+    ("http://[placeholder]/", ("hxxp://[placeholder]/", "http[:]//[placeholder]/")),
+)
+
+
+@pytest.mark.parametrize("original, safed_options", URL_TESTS)
+def test_safeify_url(original, safed_options):
+    assert safeify_url(original) in safed_options

test/builtins/test_builtins_url.py

@@ -70,6 +70,22 @@ def callback(bot, trigger, match):
     return sopel
 
 
+PRELOADED_CONFIG = """
+[core]
+owner = testnick
+nick = TestBot
+enable =
+    coretasks
+    url
+"""
+
+
+@pytest.fixture
+def preloadedbot(configfactory, botfactory):
+    tmpconfig = configfactory('preloaded.cfg', PRELOADED_CONFIG)
+    return botfactory.preloaded(tmpconfig, ['url'])
+
+
 @pytest.mark.parametrize("site", INVALID_URLS)
 def test_find_title_invalid(site):
     # All local for invalid ones
@@ -103,3 +119,30 @@ def test_url_triggers_rules_and_auto_title(mockbot):
     labels = sorted(result[0].get_rule_label() for result in results)
     expected = ['handle_urls_https', 'title_auto']
     assert labels == expected
+
+
+@pytest.mark.parametrize('level, result', (
+    ('NOTHING', False),
+    ('VOICE', False),
+    ('HALFOP', False),
+    ('OP', True),
+    ('ADMIN', True),
+    ('OWNER', True),
+))
+def test_url_ban_privilege(preloadedbot, ircfactory, triggerfactory, level, result):
+    """Make sure the urlban command privilege check functions correctly."""
+    irc = ircfactory(preloadedbot)
+    irc.channel_joined('#test', [
+        'Unothing', 'Uvoice', 'Uhalfop', 'Uop', 'Uadmin', 'Uowner'])
+    irc.mode_set('#test', '+vhoaq', [
+        'Uvoice', 'Uhalfop', 'Uop', 'Uadmin', 'Uowner'])
+
+    nick = f'U{level.title()}'
+    user = level.lower()
+    line = f':{nick}!{user}@example.com PRIVMSG #test :.urlban *'
+    wrapper = triggerfactory.wrapper(preloadedbot, line)
+    match = triggerfactory(preloadedbot, line)
+
+    # parameter matrix assumes the default `url.exclude_required_access` config
+    # value, which was 'OP' at the time of test creation
+    assert url._user_can_change_excludes(wrapper, match) == result

test/test_bot.py

@@ -1174,8 +1174,8 @@ def testrule(bot, trigger):
     # assert there is now a NOTICE which contains templated time left information
     assert mockbot.backend.message_sent
     patt = (br"NOTICE Test :"
-            br"time_left=\d+:\d+:\d+(\.\d+)? "
-            br"time_left_sec=\d+(\.\d+)?")
+            br"time_left=\d+:\d+:\d+ "
+            br"time_left_sec=\d+")
     assert re.match(patt, mockbot.backend.message_sent[0])