diff --git a/Gemfile b/Gemfile
index 55de8d02922..44c459c497f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -105,7 +105,7 @@ gem 'fog-rackspace', '~> 0.1.1'
 gem 'fog-aliyun', '~> 0.1.0'
 
 # for Google storage
-gem 'google-api-client', '~> 0.8.6'
+gem 'google-api-client', '~> 0.13.6'
 
 # for aws storage
 gem 'unf', '~> 0.1.4'
@@ -239,7 +239,7 @@ gem 'rack-proxy', '~> 0.6.0'
 gem 'sass-rails', '~> 5.0.6'
 gem 'uglifier', '~> 2.7.2'
 
-gem 'addressable', '~> 2.3.8'
+gem 'addressable', '~> 2.5.2'
 gem 'bootstrap-sass', '~> 3.3.0'
 gem 'font-awesome-rails', '~> 4.7'
 gem 'gemojione', '~> 3.3'
@@ -356,7 +356,7 @@ end
 group :test do
   gem 'shoulda-matchers', '~> 3.1.2', require: false
   gem 'email_spec', '~> 1.6.0'
-  gem 'json-schema', '~> 2.6.2'
+  gem 'json-schema', '~> 2.8.0'
   gem 'webmock', '~> 2.3.2'
   gem 'test_after_commit', '~> 1.1'
   gem 'sham_rack', '~> 1.3.6'
diff --git a/Gemfile.lock b/Gemfile.lock
index e1bb5d0854d..a0ad2716c01 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -45,7 +45,8 @@ GEM
     adamantium (0.2.0)
       ice_nine (~> 0.11.0)
       memoizable (~> 0.4.0)
-    addressable (2.3.8)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
     akismet (2.0.0)
     allocations (1.0.5)
     arel (6.0.4)
@@ -62,10 +63,6 @@ GEM
     attr_encrypted (3.0.3)
       encryptor (~> 3.0.0)
     attr_required (1.0.0)
-    autoparse (0.3.3)
-      addressable (>= 2.3.1)
-      extlib (>= 0.9.15)
-      multi_json (>= 1.0.0)
     autoprefixer-rails (6.2.3)
       execjs
       json
@@ -146,6 +143,8 @@ GEM
     debugger-ruby_core_source (1.3.8)
     deckar01-task_list (2.0.0)
       html-pipeline
+    declarative (0.0.10)
+    declarative-option (0.1.0)
     default_value_for (3.0.2)
       activerecord (>= 3.2.0, < 5.1)
     descendants_tracker (0.0.4)
@@ -188,7 +187,6 @@ GEM
     excon (0.57.1)
     execjs (2.6.0)
     expression_parser (0.9.0)
-    extlib (0.9.16)
     factory_girl (4.7.0)
       activesupport (>= 3.0.0)
     factory_girl_rails (4.7.0)
@@ -288,10 +286,10 @@ GEM
       flowdock (~> 0.7)
       gitlab-grit (>= 2.4.1)
       multi_json
-    gitlab-grit (2.8.1)
+    gitlab-grit (2.8.2)
       charlock_holmes (~> 0.6)
       diff-lcs (~> 1.1)
-      mime-types (>= 1.16, < 3)
+      mime-types (>= 1.16)
       posix-spawn (~> 0.3)
     gitlab-markup (1.6.2)
     gitlab_omniauth-ldap (2.0.4)
@@ -319,20 +317,16 @@ GEM
       json
       multi_json
       request_store (>= 1.0)
-    google-api-client (0.8.7)
-      activesupport (>= 3.2, < 5.0)
-      addressable (~> 2.3)
-      autoparse (~> 0.3)
-      extlib (~> 0.9)
-      faraday (~> 0.9)
-      googleauth (~> 0.3)
-      launchy (~> 2.4)
-      multi_json (~> 1.10)
-      retriable (~> 1.4)
-      signet (~> 0.6)
+    google-api-client (0.13.6)
+      addressable (~> 2.5, >= 2.5.1)
+      googleauth (~> 0.5)
+      httpclient (>= 2.8.1, < 3.0)
+      mime-types (~> 3.0)
+      representable (~> 3.0)
+      retriable (>= 2.0, < 4.0)
     google-protobuf (3.4.0.2)
-    googleauth (0.5.1)
-      faraday (~> 0.9)
+    googleauth (0.5.3)
+      faraday (~> 0.12)
       jwt (~> 1.4)
       logging (~> 2.0)
       memoist (~> 0.12)
@@ -422,8 +416,8 @@ GEM
       multi_json (>= 1.3)
       securecompare
       url_safe_base64
-    json-schema (2.6.2)
-      addressable (~> 2.3.8)
+    json-schema (2.8.0)
+      addressable (>= 2.4)
     jwt (1.5.6)
     kaminari (1.0.1)
       activesupport (>= 4.1.0)
@@ -475,18 +469,20 @@ GEM
     mail (2.6.6)
       mime-types (>= 1.16, < 4)
     mail_room (0.9.1)
-    memoist (0.15.0)
+    memoist (0.16.0)
     memoizable (0.4.2)
       thread_safe (~> 0.3, >= 0.3.1)
     method_source (0.8.2)
-    mime-types (2.99.3)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
     mimemagic (0.3.0)
     mini_mime (0.1.4)
     mini_portile2 (2.3.0)
     minitest (5.7.0)
     mmap2 (2.2.7)
     mousetrap-rails (1.4.6)
-    multi_json (1.12.1)
+    multi_json (1.12.2)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
     mustermann (1.0.0)
@@ -635,6 +631,7 @@ GEM
       pry (~> 0.10)
     pry-rails (0.3.5)
       pry (>= 0.9.10)
+    public_suffix (3.0.0)
     pyu-ruby-sasl (0.0.3.3)
     rack (1.6.8)
     rack-accept (0.4.5)
@@ -717,6 +714,10 @@ GEM
       redis-store (~> 1.2.0)
     redis-store (1.2.0)
       redis (>= 2.2)
+    representable (3.0.4)
+      declarative (< 0.1.0)
+      declarative-option (< 0.2.0)
+      uber (< 0.2.0)
     request_store (1.3.1)
     responders (2.3.0)
       railties (>= 4.2.0, < 5.1)
@@ -724,7 +725,7 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    retriable (1.4.1)
+    retriable (3.1.1)
     rinku (2.0.0)
     rotp (2.1.2)
     rouge (2.2.1)
@@ -903,6 +904,7 @@ GEM
     tzinfo (1.2.3)
       thread_safe (~> 0.1)
     u2f (0.2.1)
+    uber (0.1.0)
     uglifier (2.7.2)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
@@ -963,7 +965,7 @@ DEPENDENCIES
   ace-rails-ap (~> 4.1.0)
   activerecord_sane_schema_dumper (= 0.2)
   acts-as-taggable-on (~> 4.0)
-  addressable (~> 2.3.8)
+  addressable (~> 2.5.2)
   akismet (~> 2.0)
   allocations (~> 1.0)
   asana (~> 0.6.0)
@@ -1033,7 +1035,7 @@ DEPENDENCIES
   gollum-lib (~> 4.2)
   gollum-rugged_adapter (~> 0.4.4)
   gon (~> 6.1.0)
-  google-api-client (~> 0.8.6)
+  google-api-client (~> 0.13.6)
   gpgme
   grape (~> 1.0)
   grape-entity (~> 0.6.0)
@@ -1051,7 +1053,7 @@ DEPENDENCIES
   jira-ruby (~> 1.4)
   jquery-atwho-rails (~> 1.3.2)
   jquery-rails (~> 4.1.0)
-  json-schema (~> 2.6.2)
+  json-schema (~> 2.8.0)
   jwt (~> 1.5.6)
   kaminari (~> 1.0)
   knapsack (~> 1.11.0)
diff --git a/changelogs/unreleased/gem-sm-bump-google-api-client-gem-from-0-8-6-to-0-13-6.yml b/changelogs/unreleased/gem-sm-bump-google-api-client-gem-from-0-8-6-to-0-13-6.yml
new file mode 100644
index 00000000000..13ec113167f
--- /dev/null
+++ b/changelogs/unreleased/gem-sm-bump-google-api-client-gem-from-0-8-6-to-0-13-6.yml
@@ -0,0 +1,5 @@
+---
+title: Bump google-api-client Gem from 0.8.6 to 0.13.6
+merge_request: 
+author:
+type: other
diff --git a/lib/banzai/filter/sanitization_filter.rb b/lib/banzai/filter/sanitization_filter.rb
index 88b17e12576..d8c8deea628 100644
--- a/lib/banzai/filter/sanitization_filter.rb
+++ b/lib/banzai/filter/sanitization_filter.rb
@@ -73,8 +73,9 @@ module Banzai
             return unless node.has_attribute?('href')
 
             begin
+              node['href'] = node['href'].strip
               uri = Addressable::URI.parse(node['href'])
-              uri.scheme = uri.scheme.strip.downcase if uri.scheme
+              uri.scheme = uri.scheme.downcase if uri.scheme
 
               node.remove_attribute('href') if UNSAFE_PROTOCOLS.include?(uri.scheme)
             rescue Addressable::URI::InvalidURIError
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 4e1ec1402ea..1caa791c1be 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -1,7 +1,9 @@
 module Gitlab
   class UrlSanitizer
+    ALLOWED_SCHEMES = %w[http https ssh git].freeze
+
     def self.sanitize(content)
-      regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
+      regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)
 
       content.gsub(regexp) { |url| new(url).masked_url }
     rescue Addressable::URI::InvalidURIError
@@ -11,9 +13,9 @@ module Gitlab
     def self.valid?(url)
       return false unless url.present?
 
-      Addressable::URI.parse(url.strip)
+      uri = Addressable::URI.parse(url.strip)
 
-      true
+      ALLOWED_SCHEMES.include?(uri.scheme)
     rescue Addressable::URI::InvalidURIError
       false
     end
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index 59c28431e1e..fc8991fd31f 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -39,7 +39,8 @@ describe Gitlab::UrlSanitizer do
       false | nil
       false | ''
       false | '123://invalid:url'
-      true  | 'valid@project:url.git'
+      false | 'valid@project:url.git'
+      false | 'valid:pass@project:url.git'
       true  | 'ssh://example.com'
       true  | 'ssh://:@example.com'
       true  | 'ssh://foo@example.com'
@@ -81,24 +82,6 @@ describe Gitlab::UrlSanitizer do
 
   describe '#credentials' do
     context 'credentials in hash' do
-      where(:input, :output) do
-        { user: 'foo', password: 'bar' } | { user: 'foo', password: 'bar' }
-        { user: 'foo', password: ''    } | { user: 'foo', password: nil }
-        { user: 'foo', password: nil   } | { user: 'foo', password: nil }
-        { user: '',    password: 'bar' } | { user: nil,   password: 'bar' }
-        { user: '',    password: ''    } | { user: nil,   password: nil }
-        { user: '',    password: nil   } | { user: nil,   password: nil }
-        { user: nil,   password: 'bar' } | { user: nil,   password: 'bar' }
-        { user: nil,   password: ''    } | { user: nil,   password: nil }
-        { user: nil,   password: nil   } | { user: nil,   password: nil }
-      end
-
-      with_them do
-        subject { described_class.new('user@example.com:path.git', credentials: input).credentials }
-
-        it { is_expected.to eq(output) }
-      end
-
       it 'overrides URL-provided credentials' do
         sanitizer = described_class.new('http://a:b@example.com', credentials: { user: 'c', password: 'd' })
 
@@ -116,10 +99,6 @@ describe Gitlab::UrlSanitizer do
         'http://@example.com'        | { user: nil,   password: nil }
         'http://example.com'         | { user: nil,   password: nil }
 
-        # Credentials from SCP-style URLs are not supported at present
-        'foo@example.com:path'     | { user: nil, password: nil }
-        'foo:bar@example.com:path' | { user: nil, password: nil }
-
         # Other invalid URLs
         nil  | { user: nil, password: nil }
         ''   | { user: nil, password: nil }