Just allow the scheme we want!

9401c137 · Lin Jen-Shin · f7fd36f2 · 9401c137 · 9401c137
Commit 9401c137 authored Sep 29, 2017 by Lin Jen-Shin
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 7 deletions

url_sanitizer.rb lib/gitlab/url_sanitizer.rb +5 -3

url_sanitizer_spec.rb spec/lib/gitlab/url_sanitizer_spec.rb +1 -4

No files found.
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
 module Gitlab
  class UrlSanitizer
+    ALLOWED_SCHEMES = %w[http https ssh git]
+
    def self.sanitize(content)
-      regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
+      regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)

      content.gsub(regexp) { |url| new(url).masked_url }
    rescue Addressable::URI::InvalidURIError
@@ -11,9 +13,9 @@ module Gitlab
    def self.valid?(url)
      return false unless url.present?

-      Addressable::URI.parse(url.strip)
+      uri = Addressable::URI.parse(url.strip)

-      true
+      ALLOWED_SCHEMES.include?(uri.scheme)
    rescue Addressable::URI::InvalidURIError
      false
    end

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -40,7 +40,7 @@ describe Gitlab::UrlSanitizer do
      false | ''
      false | '123://invalid:url'
      false | 'valid@project:url.git'
-      true  | 'valid:pass@project:url.git'
+      false | 'valid:pass@project:url.git'
      true  | 'ssh://example.com'
      true  | 'ssh://:@example.com'
      true  | 'ssh://foo@example.com'
@@ -117,9 +117,6 @@ describe Gitlab::UrlSanitizer do
        'http://@example.com'        | { user: nil,   password: nil }
        'http://example.com'         | { user: nil,   password: nil }

-        # Credentials from SCP-style URLs are not supported at present
-        'foo:bar@example.com:path' | { user: nil, password: nil }
-
        # Other invalid URLs
        nil  | { user: nil, password: nil }
        ''   | { user: nil, password: nil }