Merge branch 'issue_447' into 'master'

Mask credentials in URLs instead of remove them REF: #447 REF: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/382#note_11713978 See merge request !385

Merge branch 'issue_447' into 'master'
Mask credentials in URLs instead of remove them REF: #447 REF: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/382#note_11713978 See merge request !385
89f97222 · Robert Speicher · 8c599cd0 · 15bb7e97 · 89f97222 · 89f97222
Commit 89f97222 authored May 10, 2016 by Robert Speicher
Showing with 15 additions and 13 deletions

app/models/project.rb app/models/project.rb +1 -6

lib/gitlab/url_sanitizer.rb lib/gitlab/url_sanitizer.rb +8 -1

spec/lib/gitlab/url_sanitizer_spec.rb spec/lib/gitlab/url_sanitizer_spec.rb +6 -6

No files found.
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -519,12 +519,7 @@ class Project < ActiveRecord::Base
  end
  def safe_import_url
-    result = URI.parse(self.import_url)
+    Gitlab::UrlSanitizer.new(import_url).masked_url
-    result.password = '*****' unless result.password.nil?
-    result.user = '*****' unless result.user.nil? || result.user == "git" #tokens or other data may be saved as user
-    result.to_s
-  rescue
-    self.import_url
  end
  def mirror_updated?

--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -3,7 +3,7 @@ module Gitlab
    def self.sanitize(content)
      regexp = URI::Parser.new.make_regexp(['http', 'https', 'ssh', 'git'])
-      content.gsub(regexp) { |url| new(url).sanitized_url }
+      content.gsub(regexp) { |url| new(url).masked_url }
    end
    def initialize(url, credentials: nil)
@@ -15,6 +15,13 @@ module Gitlab
      @sanitized_url ||= safe_url.to_s
    end
+    def masked_url
+      url = @url.dup
+      url.password = "*****" unless url.password.nil?
+      url.user = "*****" unless url.user.nil?
+      url.to_s
+    end
    def credentials
      @credentials ||= { user: @url.user, password: @url.password }
    end

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -31,16 +31,16 @@ describe Gitlab::UrlSanitizer, lib: true do
      })
    end
-    it 'remove credentials from HTTP URLs' do
+    it 'mask the credentials from HTTP URLs' do
-      expect(filtered_content).to include("http://test.com/root/repoC.git/")
+      expect(filtered_content).to include("http://*****:*****@test.com/root/repoC.git/")
    end
-    it 'remove credentials from HTTPS URLs' do
+    it 'mask the credentials from HTTPS URLs' do
-      expect(filtered_content).to include("https://test.com/root/repoA.git/")
+      expect(filtered_content).to include("https://*****:*****@test.com/root/repoA.git/")
    end
-    it 'remove credentials from SSH URLs' do
+    it 'mask credentials from SSH URLs' do
-      expect(filtered_content).to include("ssh://host.test/path/to/repo.git")
+      expect(filtered_content).to include("ssh://*****@host.test/path/to/repo.git")
    end
    it 'does not modify Git URLs' do