Merge branch 'fix/safe-import-url' into 'master'

Prevent tokens in the import URL to be showed by the UI

Quick fix to prevent the import URL to show a user's token.

See merge request !3331

2 files changed, 2 insertions, 0 deletions

diff --git a/CHANGELOG b/CHANGELOG
index c108b643d83..3d76867919b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.6.0 (unreleased)
   - Add ability to move issue to another project
+  - Prevent tokens in the import URL to be showed by the UI
   - Fix bug where wrong commit ID was being used in a merge request diff to show old image (Stan Hu)
   - Add confidential issues
   - Bump gitlab_git to 9.0.3 (Stan Hu)
diff --git a/app/models/project.rb b/app/models/project.rb
index 85a7c406411..9c8246e8ac0 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -431,6 +431,7 @@ class Project < ActiveRecord::Base
   def safe_import_url
     result = URI.parse(self.import_url)
     result.password = '*****' unless result.password.nil?
+    result.user = '*****' unless result.user.nil? || result.user == "git" #tokens or other data may be saved as user
     result.to_s
   rescue
     self.import_url