Commit bb5581b1 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'ee_remove_auth_from_ci_url' into 'master'

removes API credentials from link to CiServer build_page

In f1e38963 @dblessing introduced the support to specify API credentials for a CiService (in this case Jenkins) via its URL. This lead to the state that for any MR a link is rendered which references the build result. This link however contains the provided API credentials which I don not believe to be intended!
Under this circumstances any user with access to the GitLab MR page can access the API token which may allow privileged access the CI server.

My MR changes the behavior of the appropriate helper method to remove the credentials from the link. It also adds a spec for it, so we do not suffer a regression later on.
parents 2b9a9d4c d448f407
......@@ -32,7 +32,14 @@ module MergeRequestsHelper
end
def ci_build_details_path merge_request
merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha)
build_url = merge_request.source_project.ci_service.build_page(merge_request.last_commit.sha)
parsed_url = URI.parse(build_url)
unless parsed_url.userinfo.blank?
parsed_url.userinfo = ''
end
parsed_url.to_s
end
def merge_path_description(merge_request, separator)
......
require "spec_helper"
describe MergeRequestsHelper do
let(:project) { create :project }
let(:merge_request) { MergeRequest.new }
let(:ci_service) { CiService.new }
let(:last_commit) { Commit.new({}) }
before do
merge_request.stub(:source_project) { project }
merge_request.stub(:last_commit) { last_commit }
project.stub(:ci_service) { ci_service }
last_commit.stub(:sha) { '12d65c' }
end
describe :ci_build_details_path do
it 'does not include api credentials in a link' do
ci_service.stub(:build_page) { "http://secretuser:secretpass@jenkins.example.com:8888/job/test1/scm/bySHA1/12d65c" }
expect(ci_build_details_path(merge_request)).to_not match("secret")
end
end
end
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment