Only allow strings in URL::Sanitizer.valid?

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/55079
2018-12-08 23:23:39 -08:00 · 2018-12-08 23:23:39 -08:00 · 401be1d17f
parent 7cb0dd9859
commit 401be1d17f
3 changed files with 7 additions and 0 deletions
--- a/changelogs/unreleased/sh-ignore-arrays-url-sanitizer.yml
+++ b/changelogs/unreleased/sh-ignore-arrays-url-sanitizer.yml
@ -0,0 +1,5 @@
+---
+title: Only allow strings in URL::Sanitizer.valid?
+merge_request: 23675
+author:
+type: fixed
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@ -14,6 +14,7 @@ module Gitlab

    def self.valid?(url)
      return false unless url.present?
+      return false unless url.is_a?(String)

      uri = Addressable::URI.parse(url.strip)

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@ -41,6 +41,7 @@ describe Gitlab::UrlSanitizer do
      false | '123://invalid:url'
      false | 'valid@project:url.git'
      false | 'valid:pass@project:url.git'
+      false | %w(test array)
      true  | 'ssh://example.com'
      true  | 'ssh://:@example.com'
      true  | 'ssh://foo@example.com'