1 files changed, 26 insertions, 7 deletions

diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 703adae12cb..1caa791c1be 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -1,7 +1,9 @@
 module Gitlab
   class UrlSanitizer
+    ALLOWED_SCHEMES = %w[http https ssh git].freeze
+
     def self.sanitize(content)
-      regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
+      regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)
 
       content.gsub(regexp) { |url| new(url).masked_url }
     rescue Addressable::URI::InvalidURIError
@@ -11,21 +13,20 @@ module Gitlab
     def self.valid?(url)
       return false unless url.present?
 
-      Addressable::URI.parse(url.strip)
+      uri = Addressable::URI.parse(url.strip)
 
-      true
+      ALLOWED_SCHEMES.include?(uri.scheme)
     rescue Addressable::URI::InvalidURIError
       false
     end
 
     def initialize(url, credentials: nil)
-      @url = Addressable::URI.parse(url.to_s.strip)
-
       %i[user password].each do |symbol|
         credentials[symbol] = credentials[symbol].presence if credentials&.key?(symbol)
       end
 
       @credentials = credentials
+      @url = parse_url(url)
     end
 
     def sanitized_url
@@ -49,12 +50,30 @@ module Gitlab
 
     private
 
+    def parse_url(url)
+      url             = url.to_s.strip
+      match           = url.match(%r{\A(?:git|ssh|http(?:s?))\://(?:(.+)(?:@))?(.+)})
+      raw_credentials = match[1] if match
+
+      if raw_credentials.present?
+        url.sub!("#{raw_credentials}@", '')
+
+        user, password = raw_credentials.split(':')
+        @credentials ||= { user: user.presence, password: password.presence }
+      end
+
+      url = Addressable::URI.parse(url)
+      url.password = password if password.present?
+      url.user = user if user.present?
+      url
+    end
+
     def generate_full_url
       return @url unless valid_credentials?
       @full_url = @url.dup
 
-      @full_url.password = credentials[:password]
-      @full_url.user = credentials[:user]
+      @full_url.password = credentials[:password] if credentials[:password].present?
+      @full_url.user = credentials[:user] if credentials[:user].present?
 
       @full_url
     end