Properly handle colons in URL passwords

Before b46d5b13ec, we relied on `Addressable::URI` to parse the username/password in a URL, but this failed when credentials contained special characters. However, this introduced a regression where the parsing would incorrectly truncate the password if the password had a colon. Closes #49080
2018-07-10 13:00:21 -07:00 · 2018-07-10 13:00:21 -07:00 · 718a23fd36
parent 255db3d597
commit 718a23fd36
3 changed files with 7 additions and 1 deletions
--- a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
@ -0,0 +1,5 @@
+---
+title: Properly handle colons in URL passwords
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@ -58,7 +58,7 @@ module Gitlab
      if raw_credentials.present?
        url.sub!("#{raw_credentials}@", '')

-        user, password = raw_credentials.split(':')
+        user, _, password = raw_credentials.partition(':')
        @credentials ||= { user: user.presence, password: password.presence }
      end

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
    context 'credentials in URL' do
      where(:url, :credentials) do
        'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
+        'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
        'http://:bar@example.com'    | { user: nil,   password: 'bar' }
        'http://foo:@example.com'    | { user: 'foo', password: nil }
        'http://foo@example.com'     | { user: 'foo', password: nil }