diff options
author | Stan Hu <stanhu@gmail.com> | 2018-07-18 08:50:08 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-07-19 13:14:07 +0300 |
commit | 50ff36265016728ab9372bff6b16b49e2d2364d6 (patch) | |
tree | 68e7163f33dcee73ae80f3c90963b5280b4277c7 /spec/lib/gitlab | |
parent | 98eccfc44c597ba14939659ca3b9150197129961 (diff) |
Escape username and password in UrlSanitizer#full_url
If a user uses a password with certain characters (e.g. /, #, +, etc.)
UrlSanitizer#full_url will generate an invalid URL that cannot be
parsed properly by Addressable::URI. If used with UrlBlocker, this
will be flagged as an invalid URI.
Diffstat (limited to 'spec/lib/gitlab')
-rw-r--r-- | spec/lib/gitlab/url_sanitizer_spec.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb index 758a9bc5a2b..b41a81a8167 100644 --- a/spec/lib/gitlab/url_sanitizer_spec.rb +++ b/spec/lib/gitlab/url_sanitizer_spec.rb @@ -145,6 +145,10 @@ describe Gitlab::UrlSanitizer do 'http://foo:@example.com' | 'http://foo@example.com' 'http://:bar@example.com' | :same 'http://foo:bar@example.com' | :same + 'http://foo:g p@example.com' | 'http://foo:g%20p@example.com' + 'http://foo:s/h@example.com' | 'http://foo:s%2Fh@example.com' + 'http://t u:a#b@example.com' | 'http://t%20u:a%23b@example.com' + 'http://t+u:a#b@example.com' | 'http://t%2Bu:a%23b@example.com' end with_them do @@ -160,7 +164,7 @@ describe Gitlab::UrlSanitizer do url_sanitizer = described_class.new("https://foo:b?r@github.com/me/project.git") expect(url_sanitizer.sanitized_url).to eq("https://github.com/me/project.git") - expect(url_sanitizer.full_url).to eq("https://foo:b?r@github.com/me/project.git") + expect(url_sanitizer.full_url).to eq("https://foo:b%3Fr@github.com/me/project.git") end end end |