Properly handle colons in URL passwords

Before b46d5b13, we relied on `Addressable::URI` to parse the username/password in a URL, but this failed when credentials contained special characters. However, this introduced a regression where the parsing would incorrectly truncate the password if the password had a colon. Closes #49080

Properly handle colons in URL passwords
Before b46d5b13, we relied on `Addressable::URI` to parse the username/password in a URL, but this failed when credentials contained special characters. However, this introduced a regression where the parsing would incorrectly truncate the password if the password had a colon. Closes #49080
718a23fd · Stan Hu · 255db3d5 · 718a23fd · 718a23fd · 718a23fd
Commit 718a23fd authored Jul 10, 2018 by Stan Hu
3 changed files
--- a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+---
+title: Properly handle colons in URL passwords
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -58,7 +58,7 @@ module Gitlab
      if raw_credentials.present?
        url.sub!("#{raw_credentials}@", '')

-        user, password = raw_credentials.split(':')
+        user, _, password = raw_credentials.partition(':')
        @credentials ||= { user: user.presence, password: password.presence }
      end


--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
    context 'credentials in URL' do
      where(:url, :credentials) do
        'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
+        'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
        'http://:bar@example.com'    | { user: nil,   password: 'bar' }
        'http://foo:@example.com'    | { user: 'foo', password: nil }
        'http://foo@example.com'     | { user: 'foo', password: nil }