diff options
| author | Stan Hu <stanhu@gmail.com> | 2018-07-17 22:50:08 -0700 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2018-07-18 05:49:33 -0700 |
| commit | 8ac9ee5290aa651e2398909bf63e723a40c81f32 (patch) | |
| tree | f0d153ed54fa7d747be7dd5f67ef65744a676ad8 | |
| parent | 9bdc9b1ae69a62ad764d8ae59baa43a4a0be1d3a (diff) | |
| download | gitlab-ce-sh-normalize-urls.tar.gz | |
Escape username and password in UrlSanitizer#full_urlsh-normalize-urls
If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.
| -rw-r--r-- | changelogs/unreleased/sh-normalize-urls.yml | 5 | ||||
| -rw-r--r-- | lib/gitlab/url_sanitizer.rb | 13 | ||||
| -rw-r--r-- | spec/lib/gitlab/url_sanitizer_spec.rb | 4 |
3 files changed, 17 insertions, 5 deletions
diff --git a/changelogs/unreleased/sh-normalize-urls.yml b/changelogs/unreleased/sh-normalize-urls.yml new file mode 100644 index 00000000000..b0d1120e10b --- /dev/null +++ b/changelogs/unreleased/sh-normalize-urls.yml @@ -0,0 +1,5 @@ +--- +title: Escape username and password in UrlSanitizer#full_url +merge_request: 20684 +author: +type: fixed diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index de8b6ec69ce..4a6a2212f48 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -71,12 +71,12 @@ module Gitlab def generate_full_url return @url unless valid_credentials? - @full_url = @url.dup + generated = @url.dup - @full_url.password = credentials[:password] if credentials[:password].present? - @full_url.user = credentials[:user] if credentials[:user].present? + generated.password = encode_percent(credentials[:password]) if credentials[:password].present? + generated.user = encode_percent(credentials[:user]) if credentials[:user].present? - @full_url + generated end def safe_url @@ -89,5 +89,10 @@ module Gitlab def valid_credentials? credentials && credentials.is_a?(Hash) && credentials.any? end + + def encode_percent(string) + # CGI.escape converts spaces to +, but this doesn't work for git clone + CGI.escape(string).gsub('+', '%20') + end end end diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb index 758a9bc5a2b..9ff5ef2b3ca 100644 --- a/spec/lib/gitlab/url_sanitizer_spec.rb +++ b/spec/lib/gitlab/url_sanitizer_spec.rb @@ -145,6 +145,8 @@ describe Gitlab::UrlSanitizer do 'http://foo:@example.com' | 'http://foo@example.com' 'http://:bar@example.com' | :same 'http://foo:bar@example.com' | :same + 'http://foo:g p@example.com' | 'http://foo:g%20p@example.com' + 'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com' end with_them do @@ -160,7 +162,7 @@ describe Gitlab::UrlSanitizer do url_sanitizer = described_class.new("https://foo:b?r@github.com/me/project.git") expect(url_sanitizer.sanitized_url).to eq("https://github.com/me/project.git") - expect(url_sanitizer.full_url).to eq("https://foo:b?r@github.com/me/project.git") + expect(url_sanitizer.full_url).to eq("https://foo:b%3Fr@github.com/me/project.git") end end end |