Just allow the scheme we want!

2 files changed, 6 insertions, 7 deletions

diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 4e1ec1402ea..9931abe8a6e 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -1,7 +1,9 @@
 module Gitlab
   class UrlSanitizer
+    ALLOWED_SCHEMES = %w[http https ssh git]
+
     def self.sanitize(content)
-      regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
+      regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)
 
       content.gsub(regexp) { |url| new(url).masked_url }
     rescue Addressable::URI::InvalidURIError
@@ -11,9 +13,9 @@ module Gitlab
     def self.valid?(url)
       return false unless url.present?
 
-      Addressable::URI.parse(url.strip)
+      uri = Addressable::URI.parse(url.strip)
 
-      true
+      ALLOWED_SCHEMES.include?(uri.scheme)
     rescue Addressable::URI::InvalidURIError
       false
     end
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index 6e31b6986a4..2f5cb92fb67 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -40,7 +40,7 @@ describe Gitlab::UrlSanitizer do
       false | ''
       false | '123://invalid:url'
       false | 'valid@project:url.git'
-      true  | 'valid:pass@project:url.git'
+      false | 'valid:pass@project:url.git'
       true  | 'ssh://example.com'
       true  | 'ssh://:@example.com'
       true  | 'ssh://foo@example.com'
@@ -117,9 +117,6 @@ describe Gitlab::UrlSanitizer do
         'http://@example.com'        | { user: nil,   password: nil }
         'http://example.com'         | { user: nil,   password: nil }
 
-        # Credentials from SCP-style URLs are not supported at present
-        'foo:bar@example.com:path' | { user: nil, password: nil }
-
         # Other invalid URLs
         nil  | { user: nil, password: nil }
         ''   | { user: nil, password: nil }