fix: harden commit codeblock output against fence breakout and mention abuse

Agent-Logs-Url: https://github.com/statch/gitbot/sessions/71de78f4-95f9-4b00-bbde-4a621af540f1

Co-authored-by: seven7ty <63970738+seven7ty@users.noreply.github.com>

Author: Copilot

cogs/github/numbered/commits.py

@@ -115,6 +115,8 @@ async def commit_command(self,
             message: str = (f"{self.bot.mgr.truncate(commit['messageBody'], 247, full_word=True)}"
                             if commit['messageBody'] and commit['messageBody'] != commit['messageHeadline']
                             else '')
+            full_headline: str = self.bot.mgr.sanitize_codeblock_content(full_headline)
+            message: str = self.bot.mgr.sanitize_codeblock_content(message)
             empty: str = ctx.l.commit.fields.message.empty if not full_headline and not message else ''
             message: str = '```' + full_headline + message + empty + '```'
             embed.add_field(name=f':notepad_spiral: {ctx.l.commit.fields.message.name}:', value=message)

lib/manager.py

@@ -231,6 +231,20 @@ def truncate(str_: str, length: int, ending: str = '...', full_word: bool = Fals
             return str_[:length - len(ending)] + ending
         return str_
 
+    @staticmethod
+    def sanitize_codeblock_content(content: str, neutralize_mentions: bool = True) -> str:
+        """
+        Harden untrusted text for Discord fenced code blocks.
+
+        :param content: The text to sanitize
+        :param neutralize_mentions: Whether to prevent mention abuse
+        :return: The sanitized text
+        """
+        content: str = content.replace('```', '`\u200b``')
+        if neutralize_mentions:
+            content = content.replace('@', '@\u200b')
+        return content
+
     @staticmethod
     def flatten(iterable: Iterable) -> Iterable:
         return list(iterable | traverse)