Escape username and password in UrlSanitizer#full_url

If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.

changelogs/unreleased/sh-normalize-urls.yml

@@ -0,0 +1,5 @@
+---
+title: Escape username and password in UrlSanitizer#full_url
+merge_request: 20684
+author:
+type: fixed

lib/gitlab/url_sanitizer.rb

@@ -71,12 +71,10 @@ module Gitlab
     def generate_full_url
       return @url unless valid_credentials?
 
-      generated = @url.dup
-
-      generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
-      generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
-
-      generated
+      @url.dup.tap do |generated|
+        generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
+        generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
+      end
     end
 
     def safe_url

spec/lib/gitlab/url_sanitizer_spec.rb

@@ -147,6 +147,8 @@ describe Gitlab::UrlSanitizer do
         'http://foo:bar@example.com' | :same
         'http://foo:g p@example.com' | 'http://foo:g%20p@example.com'
         'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com'
+        'http://t u:a#b@example.com' | 'http://t%20u:a%23b@example.com'
+        'http://t+u:a#b@example.com' | 'http://t%2Bu:a%23b@example.com'
       end
 
       with_them do