Properly handle colons in URL passwords

Before b46d5b13ecb8e0c0793fa433bff7f49cb0612760, we relied on
`Addressable::URI` to parse the username/password in a URL, but this failed
when credentials contained special characters. However, this introduced a regression
where the parsing would incorrectly truncate the password if the password had a colon.

Closes #49080

3 files changed, 7 insertions, 1 deletions

diff --git a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
new file mode 100644
index 00000000000..7717d0aab37
--- /dev/null
+++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
@@ -0,0 +1,5 @@
+---
+title: Properly handle colons in URL passwords
+merge_request:
+author:
+type: fixed
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 59331c827af..de8b6ec69ce 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -58,7 +58,7 @@ module Gitlab
       if raw_credentials.present?
         url.sub!("#{raw_credentials}@", '')
 
-        user, password = raw_credentials.split(':')
+        user, _, password = raw_credentials.partition(':')
         @credentials ||= { user: user.presence, password: password.presence }
       end
 
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index fc8991fd31f..758a9bc5a2b 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
     context 'credentials in URL' do
       where(:url, :credentials) do
         'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
+        'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
         'http://:bar@example.com'    | { user: nil,   password: 'bar' }
         'http://foo:@example.com'    | { user: 'foo', password: nil }
         'http://foo@example.com'     | { user: 'foo', password: nil }