Escape username and password in UrlSanitizer#full_url

If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.

1 files changed, 9 insertions, 6 deletions

diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb
index de8b6ec69ce..308a95d2f09 100644
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -71,12 +71,10 @@ module Gitlab
     def generate_full_url
       return @url unless valid_credentials?
 
-      @full_url = @url.dup
-
-      @full_url.password = credentials[:password] if credentials[:password].present?
-      @full_url.user = credentials[:user] if credentials[:user].present?
-
-      @full_url
+      @url.dup.tap do |generated|
+        generated.password = encode_percent(credentials[:password]) if credentials[:password].present?
+        generated.user = encode_percent(credentials[:user]) if credentials[:user].present?
+      end
     end
 
     def safe_url
@@ -89,5 +87,10 @@ module Gitlab
     def valid_credentials?
       credentials && credentials.is_a?(Hash) && credentials.any?
     end
+
+    def encode_percent(string)
+      # CGI.escape converts spaces to +, but this doesn't work for git clone
+      CGI.escape(string).gsub('+', '%20')
+    end
   end
 end