Merge branch 'ee_remove_auth_from_ci_url' into 'master'

removes API credentials from link to CiServer build_page In f1e38963 @dblessing introduced the support to specify API credentials for a CiService (in this case Jenkins) via its URL. This lead to the state that for any MR a link is rendered which references the build result. This link however contains the provided API credentials which I don not believe to be intended! Under this circumstances any user with access to the GitLab MR page can access the API token which may allow privileged access the CI server. My MR changes the behavior of the appropriate helper method to remove the credentials from the link. It also adds a spec for it, so we do not suffer a regression later on.

Merge branch 'ee_remove_auth_from_ci_url' into 'master'
removes API credentials from link to CiServer build_page In f1e38963 @dblessing introduced the support to specify API credentials for a CiService (in this case Jenkins) via its URL. This lead to the state that for any MR a link is rendered which references the build result. This link however contains the provided API credentials which I don not believe to be intended! Under this circumstances any user with access to the GitLab MR page can access the API token which may allow privileged access the CI server. My MR changes the behavior of the appropriate helper method to remove the credentials from the link. It also adds a spec for it, so we do not suffer a regression later on.
bb5581b1 · Dmitriy Zaporozhets · 2b9a9d4c · d448f407 · bb5581b1 · bb5581b1
Commit bb5581b1 authored Jun 11, 2014 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

app/helpers/merge_requests_helper.rb app/helpers/merge_requests_helper.rb +8 -1

spec/helpers/merge_request_helper_spec.rb spec/helpers/merge_request_helper_spec.rb +22 -0

No files found.
--- a/app/helpers/merge_requests_helper.rb
+++ b/app/helpers/merge_requests_helper.rb
@@ -32,7 +32,14 @@ module MergeRequestsHelper
  end

  def ci_build_details_path merge_request
-    merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha)
+    build_url = merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha)
+    parsed_url = URI.parse(build_url)
+
+    unless parsed_url.userinfo.blank?
+      parsed_url.userinfo = ''
+    end
+
+    parsed_url.to_s
  end

  def merge_path_description(merge_request, separator)

--- a/spec/helpers/merge_request_helper_spec.rb
+++ b/spec/helpers/merge_request_helper_spec.rb
+require "spec_helper"
+
+describe MergeRequestsHelper do
+  let(:project) { create :project }
+  let(:merge_request) { MergeRequest.new }
+  let(:ci_service) { CiService.new }
+  let(:last_commit) { Commit.new({}) }
+
+  before do
+    merge_request.stub(:source_project) { project }
+    merge_request.stub(:last_commit) { last_commit }
+    project.stub(:ci_service) { ci_service }
+    last_commit.stub(:sha) { '12d65c' }
+  end
+
+  describe :ci_build_details_path do
+    it 'does not include api credentials in a link' do
+      ci_service.stub(:build_page) { "http://secretuser:secretpass@jenkins.example.com:8888/job/test1/scm/bySHA1/12d65c" }
+      expect(ci_build_details_path(merge_request)).to_not match("secret")
+    end
+  end
+end
\ No newline at end of file