Ensure that emails contain absolute, rather than relative, links to user uploads

3 files changed, 51 insertions, 17 deletions

diff --git a/changelogs/unreleased/41882-respect-only-path-in-relative-link-filter.yml b/changelogs/unreleased/41882-respect-only-path-in-relative-link-filter.yml
new file mode 100644
index 00000000000..d4b7ec6a3b5
--- /dev/null
+++ b/changelogs/unreleased/41882-respect-only-path-in-relative-link-filter.yml
@@ -0,0 +1,5 @@
+---
+title: Ensure that emails contain absolute, rather than relative, links to user uploads
+merge_request: 16364
+author:
+type: fixed
diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb
index 5c197afd782..f6169b2c85d 100644
--- a/lib/banzai/filter/relative_link_filter.rb
+++ b/lib/banzai/filter/relative_link_filter.rb
@@ -50,15 +50,22 @@ module Banzai
       end
 
       def process_link_to_upload_attr(html_attr)
-        uri_parts = [html_attr.value]
+        path_parts = [html_attr.value]
 
         if group
-          uri_parts.unshift(relative_url_root, 'groups', group.full_path, '-')
+          path_parts.unshift(relative_url_root, 'groups', group.full_path, '-')
         elsif project
-          uri_parts.unshift(relative_url_root, project.full_path)
+          path_parts.unshift(relative_url_root, project.full_path)
         end
 
-        html_attr.value = File.join(*uri_parts)
+        path = File.join(*path_parts)
+
+        html_attr.value =
+          if context[:only_path]
+            path
+          else
+            URI.join(Gitlab.config.gitlab.base_url, path).to_s
+          end
       end
 
       def process_link_to_repository_attr(html_attr)
diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb
index f38f0776303..7e17457ce70 100644
--- a/spec/lib/banzai/filter/relative_link_filter_spec.rb
+++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb
@@ -8,7 +8,8 @@ describe Banzai::Filter::RelativeLinkFilter do
       group:          group,
       project_wiki:   project_wiki,
       ref:            ref,
-      requested_path: requested_path
+      requested_path: requested_path,
+      only_path:      only_path
     })
 
     described_class.call(doc, contexts)
@@ -37,6 +38,7 @@ describe Banzai::Filter::RelativeLinkFilter do
   let(:commit)         { project.commit(ref) }
   let(:project_wiki)   { nil }
   let(:requested_path) { '/' }
+  let(:only_path)      { true }
 
   shared_examples :preserve_unchanged do
     it 'does not modify any relative URL in anchor' do
@@ -240,26 +242,35 @@ describe Banzai::Filter::RelativeLinkFilter do
     let(:commit) { nil }
     let(:ref) { nil }
     let(:requested_path) { nil }
+    let(:upload_path) { '/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg' }
+    let(:relative_path) { "/#{project.full_path}#{upload_path}" }
 
     context 'to a project upload' do
+      context 'with an absolute URL' do
+        let(:absolute_path) { Gitlab.config.gitlab.url + relative_path }
+        let(:only_path) { false }
+
+        it 'rewrites the link correctly' do
+          doc = filter(link(upload_path))
+
+          expect(doc.at_css('a')['href']).to eq(absolute_path)
+        end
+      end
+
       it 'rebuilds relative URL for a link' do
-        doc = filter(link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
-        expect(doc.at_css('a')['href'])
-          .to eq "/#{project.full_path}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
+        doc = filter(link(upload_path))
+        expect(doc.at_css('a')['href']).to eq(relative_path)
 
-        doc = filter(nested(link('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg')))
-        expect(doc.at_css('a')['href'])
-          .to eq "/#{project.full_path}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
+        doc = filter(nested(link(upload_path)))
+        expect(doc.at_css('a')['href']).to eq(relative_path)
       end
 
       it 'rebuilds relative URL for an image' do
-        doc = filter(image('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg'))
-        expect(doc.at_css('img')['src'])
-          .to eq "/#{project.full_path}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
+        doc = filter(image(upload_path))
+        expect(doc.at_css('img')['src']).to eq(relative_path)
 
-        doc = filter(nested(image('/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg')))
-        expect(doc.at_css('img')['src'])
-          .to eq "/#{project.full_path}/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg"
+        doc = filter(nested(image(upload_path)))
+        expect(doc.at_css('img')['src']).to eq(relative_path)
       end
 
       it 'does not modify absolute URL' do
@@ -288,6 +299,17 @@ describe Banzai::Filter::RelativeLinkFilter do
       let(:project) { nil }
       let(:relative_path) { "/groups/#{group.full_path}/-/uploads/e90decf88d8f96fe9e1389afc2e4a91f/test.jpg" }
 
+      context 'with an absolute URL' do
+        let(:absolute_path) { Gitlab.config.gitlab.url + relative_path }
+        let(:only_path) { false }
+
+        it 'rewrites the link correctly' do
+          doc = filter(upload_link)
+
+          expect(doc.at_css('a')['href']).to eq(absolute_path)
+        end
+      end
+
       it 'rewrites the link correctly' do
         doc = filter(upload_link)