diff options
Diffstat (limited to 'lib/gitlab/url_sanitizer.rb')
-rw-r--r-- | lib/gitlab/url_sanitizer.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index 79e124a58f5..20cbde0e700 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -26,6 +26,12 @@ module Gitlab #{URI::REGEXP::PATTERN::HOSTPORT} ) }x + # This expression is derived from `URI::REGEXP::PATTERN::USERINFO` but with the + # addition of `{` and `}` in the list of allowed characters to account for the + # possibility of the userinfo portion of a URL containing masked segments. + # e.g. + # http://myuser:{masked_password}@{masked_domain}.com/{masked_hook} + MASKED_USERINFO_REGEX = %r{(?:[\\-_.!~*'()a-zA-Z\d;:&=+$,{}]|%[a-fA-F\d]{2})*} def self.sanitize(content) content.gsub(URI_REGEXP) do |url| @@ -50,6 +56,14 @@ module Gitlab valid?(url, allowed_schemes: ALLOWED_WEB_SCHEMES) end + # The url associated with records like `WebHookLog` may contain masked + # portions represented by paired curly brackets in the URL. As this + # prohibits straightforward parsing of the URL, we can use a variation of + # the existing USERINFO regex for these cases. + def self.sanitize_masked_url(url) + url.gsub(%r{//#{MASKED_USERINFO_REGEX}@}o, '//*****:*****@') + end + def initialize(url, credentials: nil) %i[user password].each do |symbol| credentials[symbol] = credentials[symbol].presence if credentials&.key?(symbol) |