diff options
author | Lin Jen-Shin <godfat@godfat.org> | 2017-09-29 21:45:00 +0800 |
---|---|---|
committer | Lin Jen-Shin <godfat@godfat.org> | 2017-09-29 21:45:00 +0800 |
commit | 9401c137fdb6fd217cd81528c2d288f465262723 (patch) | |
tree | cccd448afe7d41a0d3ef9a5f6081fb6dbbd256f8 | |
parent | f7fd36f2a264d4b4cbf9b308497b419aa7bd26c1 (diff) | |
download | gitlab-ce-9401c137fdb6fd217cd81528c2d288f465262723.tar.gz |
Just allow the scheme we want!
-rw-r--r-- | lib/gitlab/url_sanitizer.rb | 8 | ||||
-rw-r--r-- | spec/lib/gitlab/url_sanitizer_spec.rb | 5 |
2 files changed, 6 insertions, 7 deletions
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index 4e1ec1402ea..9931abe8a6e 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -1,7 +1,9 @@ module Gitlab class UrlSanitizer + ALLOWED_SCHEMES = %w[http https ssh git] + def self.sanitize(content) - regexp = URI::Parser.new.make_regexp(%w(http https ssh git)) + regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES) content.gsub(regexp) { |url| new(url).masked_url } rescue Addressable::URI::InvalidURIError @@ -11,9 +13,9 @@ module Gitlab def self.valid?(url) return false unless url.present? - Addressable::URI.parse(url.strip) + uri = Addressable::URI.parse(url.strip) - true + ALLOWED_SCHEMES.include?(uri.scheme) rescue Addressable::URI::InvalidURIError false end diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb index 6e31b6986a4..2f5cb92fb67 100644 --- a/spec/lib/gitlab/url_sanitizer_spec.rb +++ b/spec/lib/gitlab/url_sanitizer_spec.rb @@ -40,7 +40,7 @@ describe Gitlab::UrlSanitizer do false | '' false | '123://invalid:url' false | 'valid@project:url.git' - true | 'valid:pass@project:url.git' + false | 'valid:pass@project:url.git' true | 'ssh://example.com' true | 'ssh://:@example.com' true | 'ssh://foo@example.com' @@ -117,9 +117,6 @@ describe Gitlab::UrlSanitizer do 'http://@example.com' | { user: nil, password: nil } 'http://example.com' | { user: nil, password: nil } - # Credentials from SCP-style URLs are not supported at present - 'foo:bar@example.com:path' | { user: nil, password: nil } - # Other invalid URLs nil | { user: nil, password: nil } '' | { user: nil, password: nil } |