removes api credentials from link to build_page

Also adds a spec for MergeRequestHelper to avoid having a regression
later on.

2 files changed, 30 insertions, 1 deletions

diff --git a/app/helpers/merge_requests_helper.rb b/app/helpers/merge_requests_helper.rb
index 6c32647594d..9a9eaa05c6d 100644
--- a/app/helpers/merge_requests_helper.rb
+++ b/app/helpers/merge_requests_helper.rb
@@ -27,7 +27,14 @@ module MergeRequestsHelper
   end
 
   def ci_build_details_path(merge_request)
-    merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha, merge_request.source_branch)
+    build_url = merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha, merge_request.source_branch)
+    parsed_url = URI.parse(build_url)
+
+    unless parsed_url.userinfo.blank?
+      parsed_url.userinfo = ''
+    end
+
+    parsed_url.to_s
   end
 
   def merge_path_description(merge_request, separator)
diff --git a/spec/helpers/merge_request_helper_spec.rb b/spec/helpers/merge_request_helper_spec.rb
new file mode 100644
index 00000000000..5363511706e
--- /dev/null
+++ b/spec/helpers/merge_request_helper_spec.rb
@@ -0,0 +1,22 @@
+require "spec_helper"
+
+describe MergeRequestsHelper do
+  let(:project) { create :project }
+  let(:merge_request) { MergeRequest.new }
+  let(:ci_service) { CiService.new }
+  let(:last_commit) { Commit.new({}) }
+
+  before do
+    merge_request.stub(:source_project) { project }
+    merge_request.stub(:last_commit) { last_commit }
+    project.stub(:ci_service) { ci_service }
+    last_commit.stub(:sha) { '12d65c' }
+  end
+
+  describe :ci_build_details_path do
+    it 'does not include api credentials in a link' do
+      ci_service.stub(:build_page) { "http://secretuser:secretpass@jenkins.example.com:8888/job/test1/scm/bySHA1/12d65c" }
+      expect(ci_build_details_path(merge_request)).to_not match("secret")
+    end
+  end
+end
\ No newline at end of file