summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLin Jen-Shin <godfat@godfat.org>2017-09-29 21:45:00 +0800
committerLin Jen-Shin <godfat@godfat.org>2017-09-29 21:45:00 +0800
commit9401c137fdb6fd217cd81528c2d288f465262723 (patch)
treecccd448afe7d41a0d3ef9a5f6081fb6dbbd256f8
parentf7fd36f2a264d4b4cbf9b308497b419aa7bd26c1 (diff)
downloadgitlab-ce-9401c137fdb6fd217cd81528c2d288f465262723.tar.gz
Just allow the scheme we want!
-rw-r--r--lib/gitlab/url_sanitizer.rb8
-rw-r--r--spec/lib/gitlab/url_sanitizer_spec.rb5
2 files changed, 6 insertions, 7 deletions
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 4e1ec1402ea..9931abe8a6e 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -1,7 +1,9 @@
module Gitlab
class UrlSanitizer
+ ALLOWED_SCHEMES = %w[http https ssh git]
+
def self.sanitize(content)
- regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
+ regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)
content.gsub(regexp) { |url| new(url).masked_url }
rescue Addressable::URI::InvalidURIError
@@ -11,9 +13,9 @@ module Gitlab
def self.valid?(url)
return false unless url.present?
- Addressable::URI.parse(url.strip)
+ uri = Addressable::URI.parse(url.strip)
- true
+ ALLOWED_SCHEMES.include?(uri.scheme)
rescue Addressable::URI::InvalidURIError
false
end
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index 6e31b6986a4..2f5cb92fb67 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -40,7 +40,7 @@ describe Gitlab::UrlSanitizer do
false | ''
false | '123://invalid:url'
false | 'valid@project:url.git'
- true | 'valid:pass@project:url.git'
+ false | 'valid:pass@project:url.git'
true | 'ssh://example.com'
true | 'ssh://:@example.com'
true | 'ssh://foo@example.com'
@@ -117,9 +117,6 @@ describe Gitlab::UrlSanitizer do
'http://@example.com' | { user: nil, password: nil }
'http://example.com' | { user: nil, password: nil }
- # Credentials from SCP-style URLs are not supported at present
- 'foo:bar@example.com:path' | { user: nil, password: nil }
-
# Other invalid URLs
nil | { user: nil, password: nil }
'' | { user: nil, password: nil }