Explicitly reject non http(s) schemes

Rather than relying on NoMethodError deep inside faraday
This commit is contained in:
Thong Kuah 2019-07-24 22:39:40 +12:00 committed by Douglas Barbosa Alexandre
parent 46ef495488
commit d6a7408fd3
No known key found for this signature in database
GPG key ID: 4DC4A918C347CAC9
2 changed files with 22 additions and 2 deletions

View file

@ -82,7 +82,10 @@ module ContainerRegistry
def redirect_response(location) def redirect_response(location)
return unless location return unless location
faraday_redirect.get(location) uri = URI(@base_uri).merge(location)
raise ArgumentError, "Invalid scheme for #{location}" unless %w[http https].include?(uri.scheme)
faraday_redirect.get(uri)
end end
def faraday def faraday

View file

@ -112,11 +112,28 @@ describe ContainerRegistry::Blob do
end end
end end
context 'for a relative address' do
before do
stub_request(:get, 'http://registry.gitlab/relative')
.with { |request| !request.headers.include?('Authorization') }
.to_return(
status: 200,
headers: { 'Content-Type' => 'application/json' },
body: '{"key":"value"}')
end
let(:location) { '/relative' }
it 'returns correct data' do
expect(blob.data).to eq '{"key":"value"}'
end
end
context 'for invalid file' do context 'for invalid file' do
let(:location) { 'file:///etc/passwd' } let(:location) { 'file:///etc/passwd' }
it 'raises an error' do it 'raises an error' do
expect { blob.data }.to raise_error(NoMethodError, %q{undefined method `request_uri' for #<URI::File file:///etc/passwd>}) expect { blob.data }.to raise_error(ArgumentError, 'Invalid scheme for file:///etc/passwd')
end end
end end
end end