diff options
author | Thong Kuah <tkuah@gitlab.com> | 2019-07-24 22:39:40 +1200 |
---|---|---|
committer | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2019-07-29 19:20:30 -0300 |
commit | d6a7408fd319749b9cd47690f03720d1a5c088ca (patch) | |
tree | 97fc6230a007aadf679b686a9fe9d8fedbd59897 | |
parent | 46ef495488d46932b18353739342d503288e0eea (diff) | |
download | gitlab-ce-d6a7408fd319749b9cd47690f03720d1a5c088ca.tar.gz |
Explicitly reject non http(s) schemes
Rather than relying on NoMethodError deep inside faraday
-rw-r--r-- | lib/container_registry/client.rb | 5 | ||||
-rw-r--r-- | spec/lib/container_registry/blob_spec.rb | 19 |
2 files changed, 22 insertions, 2 deletions
diff --git a/lib/container_registry/client.rb b/lib/container_registry/client.rb index c3a19af7a94..82810ea4076 100644 --- a/lib/container_registry/client.rb +++ b/lib/container_registry/client.rb @@ -82,7 +82,10 @@ module ContainerRegistry def redirect_response(location) return unless location - faraday_redirect.get(location) + uri = URI(@base_uri).merge(location) + raise ArgumentError, "Invalid scheme for #{location}" unless %w[http https].include?(uri.scheme) + + faraday_redirect.get(uri) end def faraday diff --git a/spec/lib/container_registry/blob_spec.rb b/spec/lib/container_registry/blob_spec.rb index ec5addc7c68..be7be2f3719 100644 --- a/spec/lib/container_registry/blob_spec.rb +++ b/spec/lib/container_registry/blob_spec.rb @@ -112,11 +112,28 @@ describe ContainerRegistry::Blob do end end + context 'for a relative address' do + before do + stub_request(:get, 'http://registry.gitlab/relative') + .with { |request| !request.headers.include?('Authorization') } + .to_return( + status: 200, + headers: { 'Content-Type' => 'application/json' }, + body: '{"key":"value"}') + end + + let(:location) { '/relative' } + + it 'returns correct data' do + expect(blob.data).to eq '{"key":"value"}' + end + end + context 'for invalid file' do let(:location) { 'file:///etc/passwd' } it 'raises an error' do - expect { blob.data }.to raise_error(NoMethodError, %q{undefined method `request_uri' for #<URI::File file:///etc/passwd>}) + expect { blob.data }.to raise_error(ArgumentError, 'Invalid scheme for file:///etc/passwd') end end end |