Merge branch 'dm-dependency-value-regex' into 'master'

Don't allow spaces in dependency linker value regex

See merge request !11721

3 files changed, 15 insertions, 6 deletions

diff --git a/lib/gitlab/dependency_linker/base_linker.rb b/lib/gitlab/dependency_linker/base_linker.rb
index 7ba0b3c39b7..7bbd154eb03 100644
--- a/lib/gitlab/dependency_linker/base_linker.rb
+++ b/lib/gitlab/dependency_linker/base_linker.rb
@@ -1,8 +1,8 @@
 module Gitlab
   module DependencyLinker
     class BaseLinker
-      URL_REGEX = %r{https?://[^'"]+}.freeze
-      REPO_REGEX = %r{[^/'"]+/[^/'"]+}.freeze
+      URL_REGEX = %r{https?://[^'" ]+}.freeze
+      REPO_REGEX = %r{[^/'" ]+/[^/'" ]+}.freeze
 
       class_attribute :file_type
 
@@ -69,7 +69,7 @@ module Gitlab
         @highlighted_lines ||= highlighted_text.lines
       end
 
-      def regexp_for_value(value, default: /[^'"]+/)
+      def regexp_for_value(value, default: /[^'" ]+/)
         case value
         when Array
           Regexp.union(value.map { |v| regexp_for_value(v, default: default) })
diff --git a/lib/gitlab/dependency_linker/json_linker.rb b/lib/gitlab/dependency_linker/json_linker.rb
index 1b1ca000977..a8ef25233d8 100644
--- a/lib/gitlab/dependency_linker/json_linker.rb
+++ b/lib/gitlab/dependency_linker/json_linker.rb
@@ -24,8 +24,8 @@ module Gitlab
       #   link_json('specific_package', '1.0.1', link: :key)
       #   # Will link `specific_package` in `"specific_package": "1.0.1"`
       def link_json(key, value = nil, link: :value, &url_proc)
-        key = regexp_for_value(key, default: /[^"]+/)
-        value = regexp_for_value(value, default: /[^"]+/)
+        key = regexp_for_value(key, default: /[^" ]+/)
+        value = regexp_for_value(value, default: /[^" ]+/)
 
         if link == :value
           value = /(?<name>#{value})/
diff --git a/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb b/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb
index b5f2c387d6f..8c979ae1869 100644
--- a/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb
+++ b/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb
@@ -24,12 +24,16 @@ describe Gitlab::DependencyLinker::PackageJsonLinker, lib: true do
             "url": "https://github.com/vuejs/vue.git"
           },
           "homepage": "https://github.com/vuejs/vue#readme",
+          "scripts": {
+            "karma": "karma start config/karma.config.js --single-run"
+          },
           "dependencies": {
             "primus": "*",
             "async": "~0.8.0",
             "express": "4.2.x",
             "bigpipe": "bigpipe/pagelet",
-            "plates": "https://github.com/flatiron/plates/tarball/master"
+            "plates": "https://github.com/flatiron/plates/tarball/master",
+            "karma": "^1.4.1"
           },
           "devDependencies": {
             "vows": "^0.7.0",
@@ -69,6 +73,7 @@ describe Gitlab::DependencyLinker::PackageJsonLinker, lib: true do
       expect(subject).to include(link('express', 'https://npmjs.com/package/express'))
       expect(subject).to include(link('bigpipe', 'https://npmjs.com/package/bigpipe'))
       expect(subject).to include(link('plates', 'https://npmjs.com/package/plates'))
+      expect(subject).to include(link('karma', 'https://npmjs.com/package/karma'))
       expect(subject).to include(link('vows', 'https://npmjs.com/package/vows'))
       expect(subject).to include(link('assume', 'https://npmjs.com/package/assume'))
       expect(subject).to include(link('pre-commit', 'https://npmjs.com/package/pre-commit'))
@@ -81,5 +86,9 @@ describe Gitlab::DependencyLinker::PackageJsonLinker, lib: true do
     it 'links Git repos' do
       expect(subject).to include(link('https://github.com/flatiron/plates/tarball/master', 'https://github.com/flatiron/plates/tarball/master'))
     end
+
+    it 'does not link scripts with the same key as a package' do
+      expect(subject).not_to include(link('karma start config/karma.config.js --single-run', 'https://github.com/karma start config/karma.config.js --single-run'))
+    end
   end
 end