Only allow strings in URL::Sanitizer.valid?

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/55079

3 files changed, 7 insertions, 0 deletions

diff --git a/changelogs/unreleased/sh-ignore-arrays-url-sanitizer.yml b/changelogs/unreleased/sh-ignore-arrays-url-sanitizer.yml
new file mode 100644
index 00000000000..c010bd1f540
--- /dev/null
+++ b/changelogs/unreleased/sh-ignore-arrays-url-sanitizer.yml
@@ -0,0 +1,5 @@
+---
+title: Only allow strings in URL::Sanitizer.valid?
+merge_request: 23675
+author:
+type: fixed
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index 035268bc4f2..880712de5fe 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -14,6 +14,7 @@ module Gitlab
 
     def self.valid?(url)
       return false unless url.present?
+      return false unless url.is_a?(String)
 
       uri = Addressable::URI.parse(url.strip)
 
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb
index b41a81a8167..6e98a999766 100644
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -41,6 +41,7 @@ describe Gitlab::UrlSanitizer do
       false | '123://invalid:url'
       false | 'valid@project:url.git'
       false | 'valid:pass@project:url.git'
+      false | %w(test array)
       true  | 'ssh://example.com'
       true  | 'ssh://:@example.com'
       true  | 'ssh://foo@example.com'