Commit 9401c137 authored by Lin Jen-Shin's avatar Lin Jen-Shin

Just allow the scheme we want!

parent f7fd36f2
module Gitlab
class UrlSanitizer
ALLOWED_SCHEMES = %w[http https ssh git]
def self.sanitize(content)
regexp = URI::Parser.new.make_regexp(%w(http https ssh git))
regexp = URI::Parser.new.make_regexp(ALLOWED_SCHEMES)
content.gsub(regexp) { |url| new(url).masked_url }
rescue Addressable::URI::InvalidURIError
......@@ -11,9 +13,9 @@ module Gitlab
def self.valid?(url)
return false unless url.present?
Addressable::URI.parse(url.strip)
uri = Addressable::URI.parse(url.strip)
true
ALLOWED_SCHEMES.include?(uri.scheme)
rescue Addressable::URI::InvalidURIError
false
end
......
......@@ -40,7 +40,7 @@ describe Gitlab::UrlSanitizer do
false | ''
false | '123://invalid:url'
false | 'valid@project:url.git'
true | 'valid:pass@project:url.git'
false | 'valid:pass@project:url.git'
true | 'ssh://example.com'
true | 'ssh://:@example.com'
true | 'ssh://foo@example.com'
......@@ -117,9 +117,6 @@ describe Gitlab::UrlSanitizer do
'http://@example.com' | { user: nil, password: nil }
'http://example.com' | { user: nil, password: nil }
# Credentials from SCP-style URLs are not supported at present
'foo:bar@example.com:path' | { user: nil, password: nil }
# Other invalid URLs
nil | { user: nil, password: nil }
'' | { user: nil, password: nil }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment