Explicitly reject non http(s) schemes

Rather than relying on NoMethodError deep inside faraday
2019-07-24 22:39:40 +12:00 · 2019-07-24 22:39:40 +12:00 · d6a7408fd3
commit d6a7408fd3
parent 46ef495488
2 changed files with 22 additions and 2 deletions
--- a/lib/container_registry/client.rb
+++ b/lib/container_registry/client.rb
@ -82,7 +82,10 @@ module ContainerRegistry
    def redirect_response(location)
      return unless location

-      faraday_redirect.get(location)
+      uri = URI(@base_uri).merge(location)
+      raise ArgumentError, "Invalid scheme for #{location}" unless %w[http https].include?(uri.scheme)
+
+      faraday_redirect.get(uri)
    end

    def faraday
--- a/spec/lib/container_registry/blob_spec.rb
+++ b/spec/lib/container_registry/blob_spec.rb
@ -112,11 +112,28 @@ describe ContainerRegistry::Blob do
        end
      end

+      context 'for a relative address' do
+        before do
+          stub_request(:get, 'http://registry.gitlab/relative')
+            .with { |request| !request.headers.include?('Authorization') }
+            .to_return(
+              status: 200,
+              headers: { 'Content-Type' => 'application/json' },
+              body: '{"key":"value"}')
+        end
+
+        let(:location) { '/relative' }
+
+        it 'returns correct data' do
+          expect(blob.data).to eq '{"key":"value"}'
+        end
+      end
+
      context 'for invalid file' do
        let(:location) { 'file:///etc/passwd' }

        it 'raises an error' do
-          expect { blob.data }.to raise_error(NoMethodError, %q{undefined method `request_uri' for #<URI::File file:///etc/passwd>})
+          expect { blob.data }.to raise_error(ArgumentError, 'Invalid scheme for file:///etc/passwd')
        end
      end
    end