gitlab-org--gitlab-foss/lib/gitlab/url_sanitizer.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

112 lines
2.8 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
2016-03-21 08:15:51 -04:00
module Gitlab
class UrlSanitizer
2017-10-02 02:45:58 -04:00
ALLOWED_SCHEMES = %w[http https ssh git].freeze
ALLOWED_WEB_SCHEMES = %w[http https].freeze
2017-09-29 09:45:00 -04:00
def self.sanitize(content)
2018-09-21 02:55:02 -04:00
regexp = URI::DEFAULT_PARSER.make_regexp(ALLOWED_SCHEMES)
content.gsub(regexp) { |url| new(url).masked_url }
2016-07-11 03:01:09 -04:00
rescue Addressable::URI::InvalidURIError
content.gsub(regexp, '')
end
def self.valid?(url, allowed_schemes: ALLOWED_SCHEMES)
return false unless url.present?
return false unless url.is_a?(String)
2017-09-29 09:45:00 -04:00
uri = Addressable::URI.parse(url.strip)
2016-06-30 08:30:07 -04:00
allowed_schemes.include?(uri.scheme)
2016-06-30 08:30:07 -04:00
rescue Addressable::URI::InvalidURIError
false
end
def self.valid_web?(url)
valid?(url, allowed_schemes: ALLOWED_WEB_SCHEMES)
end
2016-03-21 10:11:05 -04:00
def initialize(url, credentials: nil)
%i[user password].each do |symbol|
credentials[symbol] = credentials[symbol].presence if credentials&.key?(symbol)
end
2016-03-21 10:11:05 -04:00
@credentials = credentials
@url = parse_url(url)
2016-03-21 08:15:51 -04:00
end
def sanitized_url
@sanitized_url ||= safe_url.to_s
end
def masked_url
url = @url.dup
url.password = "*****" if url.password.present?
url.user = "*****" if url.user.present?
url.to_s
end
2016-03-21 08:15:51 -04:00
def credentials
@credentials ||= { user: @url.user.presence, password: @url.password.presence }
2016-03-21 08:15:51 -04:00
end
2019-04-11 11:26:16 -04:00
def user
credentials[:user]
end
2016-03-21 10:11:05 -04:00
def full_url
@full_url ||= generate_full_url.to_s
end
2016-03-21 08:15:51 -04:00
private
def parse_url(url)
url = url.to_s.strip
match = url.match(%r{\A(?:git|ssh|http(?:s?))\://(?:(.+)(?:@))?(.+)})
raw_credentials = match[1] if match
if raw_credentials.present?
url.sub!("#{raw_credentials}@", '')
user, _, password = raw_credentials.partition(':')
@credentials ||= {}
@credentials[:user] = user.presence if @credentials[:user].blank?
@credentials[:password] = password.presence if @credentials[:password].blank?
end
url = Addressable::URI.parse(url)
url.password = password if password.present?
url.user = user if user.present?
url
end
2016-03-21 10:11:05 -04:00
def generate_full_url
2016-03-29 09:23:32 -04:00
return @url unless valid_credentials?
@url.dup.tap do |generated|
generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
end
2016-03-21 10:11:05 -04:00
end
2016-03-21 08:15:51 -04:00
def safe_url
safe_url = @url.dup
safe_url.password = nil
safe_url.user = nil
safe_url
end
2016-03-29 09:23:32 -04:00
def valid_credentials?
credentials && credentials.is_a?(Hash) && credentials.any?
end
def encode_percent(string)
# CGI.escape converts spaces to +, but this doesn't work for git clone
CGI.escape(string).gsub('+', '%20')
end
2016-03-21 08:15:51 -04:00
end
2016-03-21 12:29:19 -04:00
end