kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Merge branch 'sh-normalize-urls' into 'master'

Browse source 
Escape username and password in UrlSanitizer#full_url

See merge request gitlab-org/gitlab-ce!20684
This commit is contained in:
Grzegorz Bizon 2018-07-19 12:06:33 +00:00
commit 3b055baf2b
3 changed files with 19 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
changelogs/unreleased/sh-normalize-urls.yml Normal file
View file

@ -0,0 +1,5 @@
---
title: Escape username and password in UrlSanitizer#full_url
merge_request: 20684
author:
type: fixed

15
lib/gitlab/url_sanitizer.rb
View file

@ -71,12 +71,10 @@ module Gitlab
def generate_full_url
return @url unless valid_credentials?
@full_url = @url.dup
@full_url.password = credentials[:password] if credentials[:password].present?
@full_url.user = credentials[:user] if credentials[:user].present?
@full_url
@url.dup.tap do |generated|
generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
end
end
def safe_url
@ -89,5 +87,10 @@ module Gitlab
def valid_credentials?
credentials && credentials.is_a?(Hash) && credentials.any?
end
def encode_percent(string)
# CGI.escape converts spaces to +, but this doesn't work for git clone
CGI.escape(string).gsub('+', '%20')
end
end
end

6
spec/lib/gitlab/url_sanitizer_spec.rb
View file

@ -145,6 +145,10 @@ describe Gitlab::UrlSanitizer do
'http://foo:@example.com' | 'http://foo@example.com'
'http://:bar@example.com' | :same
'http://foo:bar@example.com' | :same
'http://foo:g p@example.com' | 'http://foo:g%20p@example.com'
'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com'
'http://t u:a#b@example.com' | 'http://t%20u:a%23b@example.com'
'http://t+u:a#b@example.com' | 'http://t%2Bu:a%23b@example.com'
end
with_them do
@ -160,7 +164,7 @@ describe Gitlab::UrlSanitizer do
url_sanitizer = described_class.new("https://foo:b?r@github.com/me/project.git")
expect(url_sanitizer.sanitized_url).to eq("https://github.com/me/project.git")
expect(url_sanitizer.full_url).to eq("https://foo:b?r@github.com/me/project.git")
expect(url_sanitizer.full_url).to eq("https://foo:b%3Fr@github.com/me/project.git")
end
end
end