Fix ensure_canonical_path for top level routes

Don’t replace a substring of the path if it is part of the top level route.

E.g. When redirecting from `/groups/ups` to `/groups/foo`, be careful not to do `/grofoo/ups`.

Projects are unaffected by this issue, but I am grouping the `#ensure_canonical_path` tests similar to the group and user tests.

app/controllers/concerns/routable_actions.rb

@@ -24,15 +24,27 @@ module RoutableActions
     end
   end
 
-  def ensure_canonical_path(routable, requested_path)
+  def ensure_canonical_path(routable, requested_full_path)
     return unless request.get?
 
     canonical_path = routable.full_path
-    if canonical_path != requested_path
-      if canonical_path.casecmp(requested_path) != 0
-        flash[:notice] = "#{routable.class.to_s.titleize} '#{requested_path}' was moved to '#{canonical_path}'. Please update any links and bookmarks that may still have the old path."
+    if canonical_path != requested_full_path
+      if canonical_path.casecmp(requested_full_path) != 0
+        flash[:notice] = "#{routable.class.to_s.titleize} '#{requested_full_path}' was moved to '#{canonical_path}'. Please update any links and bookmarks that may still have the old path."
       end
-      redirect_to request.original_fullpath.sub(requested_path, canonical_path)
+      redirect_to full_canonical_path(canonical_path, requested_full_path)
+    end
+  end
+
+  def full_canonical_path(canonical_path, requested_full_path)
+    request_path = request.original_fullpath
+    top_level_route_regex = %r{\A(/#{Regexp.union(DynamicPathValidator::TOP_LEVEL_ROUTES)}/)#{requested_full_path}}
+    top_level_route_match = request_path.match(top_level_route_regex)
+
+    if top_level_route_match
+      request_path.sub(top_level_route_regex, "\\1#{canonical_path}")
+    else
+      request_path.sub(requested_full_path, canonical_path)
     end
   end
 end

spec/controllers/projects_controller_spec.rb

@@ -169,27 +169,6 @@ describe ProjectsController do
       end
     end
 
-    context "when requested with case sensitive namespace and project path" do
-      context "when there is a match with the same casing" do
-        it "loads the project" do
-          get :show, namespace_id: public_project.namespace, id: public_project
-
-          expect(assigns(:project)).to eq(public_project)
-          expect(response).to have_http_status(200)
-        end
-      end
-
-      context "when there is a match with different casing" do
-        it "redirects to the normalized path" do
-          get :show, namespace_id: public_project.namespace, id: public_project.path.upcase
-
-          expect(assigns(:project)).to eq(public_project)
-          expect(response).to redirect_to("/#{public_project.full_path}")
-          expect(controller).not_to set_flash[:notice]
-        end
-      end
-    end
-
     context "when the url contains .atom" do
       let(:public_project_with_dot_atom) { build(:empty_project, :public, name: 'my.atom', path: 'my.atom') }
 
@@ -219,17 +198,6 @@ describe ProjectsController do
         expect(response).to redirect_to(namespace_project_path)
       end
     end
-
-    context 'when requesting a redirected path' do
-      let!(:redirect_route) { public_project.redirect_routes.create!(path: "foo/bar") }
-
-      it 'redirects to the canonical path' do
-        get :show, namespace_id: 'foo', id: 'bar'
-
-        expect(response).to redirect_to(public_project)
-        expect(controller).to set_flash[:notice].to(project_moved_message(redirect_route, public_project))
-      end
-    end
   end
 
   describe "#update" do
@@ -256,34 +224,6 @@ describe ProjectsController do
       expect(assigns(:repository).path).to eq(project.repository.path)
       expect(response).to have_http_status(302)
     end
-
-    context 'when requesting the canonical path' do
-      it "is case-insensitive" do
-        controller.instance_variable_set(:@project, project)
-
-        put :update,
-            namespace_id: 'FOo',
-            id: 'baR',
-            project: project_params
-
-        expect(project.repository.path).to include(new_path)
-        expect(assigns(:repository).path).to eq(project.repository.path)
-        expect(response).to have_http_status(302)
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let!(:redirect_route) { project.redirect_routes.create!(path: "foo/bar") }
-
-      it 'returns not found' do
-        put :update,
-            namespace_id: 'foo',
-            id: 'bar',
-            project: project_params
-
-        expect(response).to have_http_status(404)
-      end
-    end
   end
 
   describe "#destroy" do
@@ -319,31 +259,6 @@ describe ProjectsController do
         expect(merge_request.reload.state).to eq('closed')
       end
     end
-
-    context 'when requesting the canonical path' do
-      it "is case-insensitive" do
-        controller.instance_variable_set(:@project, project)
-        sign_in(admin)
-
-        orig_id = project.id
-        delete :destroy, namespace_id: project.namespace, id: project.path.upcase
-
-        expect { Project.find(orig_id) }.to raise_error(ActiveRecord::RecordNotFound)
-        expect(response).to have_http_status(302)
-        expect(response).to redirect_to(dashboard_projects_path)
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let!(:redirect_route) { project.redirect_routes.create!(path: "foo/bar") }
-
-      it 'returns not found' do
-        sign_in(admin)
-        delete :destroy, namespace_id: 'foo', id: 'bar'
-
-        expect(response).to have_http_status(404)
-      end
-    end
   end
 
   describe 'PUT #new_issue_address' do
@@ -465,17 +380,6 @@ describe ProjectsController do
       expect(parsed_body["Tags"]).to include("v1.0.0")
       expect(parsed_body["Commits"]).to include("123456")
     end
-
-    context 'when requesting a redirected path' do
-      let!(:redirect_route) { public_project.redirect_routes.create!(path: "foo/bar") }
-
-      it 'redirects to the canonical path' do
-        get :refs, namespace_id: 'foo', id: 'bar'
-
-        expect(response).to redirect_to(refs_namespace_project_path(namespace_id: public_project.namespace, id: public_project))
-        expect(controller).to set_flash[:notice].to(project_moved_message(redirect_route, public_project))
-      end
-    end
   end
 
   describe 'POST #preview_markdown' do
@@ -488,6 +392,109 @@ describe ProjectsController do
     end
   end
 
+  describe '#ensure_canonical_path' do
+    before do
+      sign_in(user)
+    end
+
+    context 'for a GET request' do
+      context 'when requesting the canonical path' do
+        context "with exactly matching casing" do
+          it "loads the project" do
+            get :show, namespace_id: public_project.namespace, id: public_project
+
+            expect(assigns(:project)).to eq(public_project)
+            expect(response).to have_http_status(200)
+          end
+        end
+
+        context "with different casing" do
+          it "redirects to the normalized path" do
+            get :show, namespace_id: public_project.namespace, id: public_project.path.upcase
+
+            expect(assigns(:project)).to eq(public_project)
+            expect(response).to redirect_to("/#{public_project.full_path}")
+            expect(controller).not_to set_flash[:notice]
+          end
+        end
+      end
+
+      context 'when requesting a redirected path' do
+        let!(:redirect_route) { public_project.redirect_routes.create!(path: "foo/bar") }
+
+        it 'redirects to the canonical path' do
+          get :show, namespace_id: 'foo', id: 'bar'
+
+          expect(response).to redirect_to(public_project)
+          expect(controller).to set_flash[:notice].to(project_moved_message(redirect_route, public_project))
+        end
+
+        it 'redirects to the canonical path (testing non-show action)' do
+          get :refs, namespace_id: 'foo', id: 'bar'
+
+          expect(response).to redirect_to(refs_namespace_project_path(namespace_id: public_project.namespace, id: public_project))
+          expect(controller).to set_flash[:notice].to(project_moved_message(redirect_route, public_project))
+        end
+      end
+    end
+
+    context 'for a POST request' do
+      context 'when requesting the canonical path with different casing' do
+        it 'does not 404' do
+          post :toggle_star, namespace_id: public_project.namespace, id: public_project.path.upcase
+
+          expect(response).not_to have_http_status(404)
+        end
+
+        it 'does not redirect to the correct casing' do
+          post :toggle_star, namespace_id: public_project.namespace, id: public_project.path.upcase
+
+          expect(response).not_to have_http_status(301)
+        end
+      end
+
+      context 'when requesting a redirected path' do
+        let!(:redirect_route) { public_project.redirect_routes.create!(path: "foo/bar") }
+
+        it 'returns not found' do
+          post :toggle_star, namespace_id: 'foo', id: 'bar'
+
+          expect(response).to have_http_status(404)
+        end
+      end
+    end
+
+    context 'for a DELETE request' do
+      before do
+        sign_in(create(:admin))
+      end
+
+      context 'when requesting the canonical path with different casing' do
+        it 'does not 404' do
+          delete :destroy, namespace_id: project.namespace, id: project.path.upcase
+
+          expect(response).not_to have_http_status(404)
+        end
+
+        it 'does not redirect to the correct casing' do
+          delete :destroy, namespace_id: project.namespace, id: project.path.upcase
+
+          expect(response).not_to have_http_status(301)
+        end
+      end
+
+      context 'when requesting a redirected path' do
+        let!(:redirect_route) { project.redirect_routes.create!(path: "foo/bar") }
+
+        it 'returns not found' do
+          delete :destroy, namespace_id: 'foo', id: 'bar'
+
+          expect(response).to have_http_status(404)
+        end
+      end
+    end
+  end
+
   def project_moved_message(redirect_route, project)
     "Project '#{redirect_route.path}' was moved to '#{project.full_path}'. Please update any links and bookmarks that may still have the old path."
   end

spec/controllers/users_controller_spec.rb

@@ -53,40 +53,6 @@ describe UsersController do
       end
     end
 
-    context 'when requesting the canonical path' do
-      let(:user) { create(:user, username: 'CamelCaseUser') }
-
-      before { sign_in(user) }
-
-      context 'with exactly matching casing' do
-        it 'responds with success' do
-          get :show, username: user.username
-
-          expect(response).to be_success
-        end
-      end
-
-      context 'with different casing' do
-        it 'redirects to the correct casing' do
-          get :show, username: user.username.downcase
-
-          expect(response).to redirect_to(user)
-          expect(controller).not_to set_flash[:notice]
-        end
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-username') }
-
-      it 'redirects to the canonical path' do
-        get :show, username: redirect_route.path
-
-        expect(response).to redirect_to(user)
-        expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
-      end
-    end
-
     context 'when a user by that username does not exist' do
       context 'when logged out' do
         it 'redirects to login page' do
@@ -131,40 +97,6 @@ describe UsersController do
         expect(assigns(:contributions_calendar).projects.count).to eq(2)
       end
     end
-
-    context 'when requesting the canonical path' do
-      let(:user) { create(:user, username: 'CamelCaseUser') }
-
-      before { sign_in(user) }
-
-      context 'with exactly matching casing' do
-        it 'responds with success' do
-          get :calendar, username: user.username
-
-          expect(response).to be_success
-        end
-      end
-
-      context 'with different casing' do
-        it 'redirects to the correct casing' do
-          get :calendar, username: user.username.downcase
-
-          expect(response).to redirect_to(user_calendar_path(user))
-          expect(controller).not_to set_flash[:notice]
-        end
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-username') }
-
-      it 'redirects to the canonical path' do
-        get :calendar, username: redirect_route.path
-
-        expect(response).to redirect_to(user_calendar_path(user))
-        expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
-      end
-    end
   end
 
   describe 'GET #calendar_activities' do
@@ -187,38 +119,6 @@ describe UsersController do
       get :calendar_activities, username: user.username
       expect(response).to render_template('calendar_activities')
     end
-
-    context 'when requesting the canonical path' do
-      let(:user) { create(:user, username: 'CamelCaseUser') }
-
-      context 'with exactly matching casing' do
-        it 'responds with success' do
-          get :calendar_activities, username: user.username
-
-          expect(response).to be_success
-        end
-      end
-
-      context 'with different casing' do
-        it 'redirects to the correct casing' do
-          get :calendar_activities, username: user.username.downcase
-
-          expect(response).to redirect_to(user_calendar_activities_path(user))
-          expect(controller).not_to set_flash[:notice]
-        end
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-username') }
-
-      it 'redirects to the canonical path' do
-        get :calendar_activities, username: redirect_route.path
-
-        expect(response).to redirect_to(user_calendar_activities_path(user))
-        expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
-      end
-    end
   end
 
   describe 'GET #snippets' do
@@ -241,38 +141,6 @@ describe UsersController do
         expect(JSON.parse(response.body)).to have_key('html')
       end
     end
-
-    context 'when requesting the canonical path' do
-      let(:user) { create(:user, username: 'CamelCaseUser') }
-
-      context 'with exactly matching casing' do
-        it 'responds with success' do
-          get :snippets, username: user.username
-
-          expect(response).to be_success
-        end
-      end
-
-      context 'with different casing' do
-        it 'redirects to the correct casing' do
-          get :snippets, username: user.username.downcase
-
-          expect(response).to redirect_to(user_snippets_path(user))
-          expect(controller).not_to set_flash[:notice]
-        end
-      end
-    end
-
-    context 'when requesting a redirected path' do
-      let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-username') }
-
-      it 'redirects to the canonical path' do
-        get :snippets, username: redirect_route.path
-
-        expect(response).to redirect_to(user_snippets_path(user))
-        expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
-      end
-    end
   end
 
   describe 'GET #exists' do
@@ -321,6 +189,127 @@ describe UsersController do
     end
   end
 
+  describe '#ensure_canonical_path' do
+    before do
+      sign_in(user)
+    end
+
+    context 'for a GET request' do
+      context 'when requesting users at the root path' do
+        context 'when requesting the canonical path' do
+          let(:user) { create(:user, username: 'CamelCaseUser') }
+
+          context 'with exactly matching casing' do
+            it 'responds with success' do
+              get :show, username: user.username
+
+              expect(response).to be_success
+            end
+          end
+
+          context 'with different casing' do
+            it 'redirects to the correct casing' do
+              get :show, username: user.username.downcase
+
+              expect(response).to redirect_to(user)
+              expect(controller).not_to set_flash[:notice]
+            end
+          end
+        end
+
+        context 'when requesting a redirected path' do
+          let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-path') }
+
+          it 'redirects to the canonical path' do
+            get :show, username: redirect_route.path
+
+            expect(response).to redirect_to(user)
+            expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+          end
+
+          context 'when the old path is a substring of the scheme or host' do
+            let(:redirect_route) { user.namespace.redirect_routes.create(path: 'http') }
+
+            it 'does not modify the requested host' do
+              get :show, username: redirect_route.path
+
+              expect(response).to redirect_to(user)
+              expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+            end
+          end
+
+          context 'when the old path is substring of users' do
+            let(:redirect_route) { user.namespace.redirect_routes.create(path: 'ser') }
+
+            it 'redirects to the canonical path' do
+              get :show, username: redirect_route.path
+
+              expect(response).to redirect_to(user)
+              expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+            end
+          end
+        end
+      end
+
+      context 'when requesting users under the /users path' do
+        context 'when requesting the canonical path' do
+          let(:user) { create(:user, username: 'CamelCaseUser') }
+
+          context 'with exactly matching casing' do
+            it 'responds with success' do
+              get :projects, username: user.username
+
+              expect(response).to be_success
+            end
+          end
+
+          context 'with different casing' do
+            it 'redirects to the correct casing' do
+              get :projects, username: user.username.downcase
+
+              expect(response).to redirect_to(user_projects_path(user))
+              expect(controller).not_to set_flash[:notice]
+            end
+          end
+        end
+
+        context 'when requesting a redirected path' do
+          let(:redirect_route) { user.namespace.redirect_routes.create(path: 'old-path') }
+
+          it 'redirects to the canonical path' do
+            get :projects, username: redirect_route.path
+
+            expect(response).to redirect_to(user_projects_path(user))
+            expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+          end
+
+          context 'when the old path is a substring of the scheme or host' do
+            let(:redirect_route) { user.namespace.redirect_routes.create(path: 'http') }
+
+            it 'does not modify the requested host' do
+              get :projects, username: redirect_route.path
+
+              expect(response).to redirect_to(user_projects_path(user))
+              expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+            end
+          end
+
+          context 'when the old path is substring of users' do
+            let(:redirect_route) { user.namespace.redirect_routes.create(path: 'ser') }
+
+            # I.e. /users/ser should not become /ufoos/ser
+            it 'does not modify the /users part of the path' do
+              get :projects, username: redirect_route.path
+
+              expect(response).to redirect_to(user_projects_path(user))
+              expect(controller).to set_flash[:notice].to(user_moved_message(redirect_route, user))
+            end
+          end
+        end
+      end
+    end
+  end
+
   def user_moved_message(redirect_route, user)
     "User '#{redirect_route.path}' was moved to '#{user.full_path}'. Please update any links and bookmarks that may still have the old path."
   end