diff options
Diffstat (limited to 'lib/gitlab/url_blocker.rb')
-rw-r--r-- | lib/gitlab/url_blocker.rb | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb index 10822f943b6..2c5d76ba41d 100644 --- a/lib/gitlab/url_blocker.rb +++ b/lib/gitlab/url_blocker.rb @@ -164,15 +164,21 @@ module Gitlab end def parse_url(url) - raise Addressable::URI::InvalidURIError if multiline?(url) - - Addressable::URI.parse(url) + Addressable::URI.parse(url).tap do |parsed_url| + raise Addressable::URI::InvalidURIError if multiline_blocked?(parsed_url) + end rescue Addressable::URI::InvalidURIError, URI::InvalidURIError raise BlockedUrlError, 'URI is invalid' end - def multiline?(url) - CGI.unescape(url.to_s) =~ /\n|\r/ + def multiline_blocked?(parsed_url) + url = parsed_url.to_s + + return true if url =~ /\n|\r/ + # Google Cloud Storage uses a multi-line, encoded Signature query string + return false if %w(http https).include?(parsed_url.scheme&.downcase) + + CGI.unescape(url) =~ /\n|\r/ end def validate_port(port, ports) |