Commit 718a23fd authored by Stan Hu's avatar Stan Hu

Properly handle colons in URL passwords

Before b46d5b13, we relied on
`Addressable::URI` to parse the username/password in a URL, but this failed
when credentials contained special characters. However, this introduced a regression
where the parsing would incorrectly truncate the password if the password had a colon.

Closes #49080
parent 255db3d5
---
title: Properly handle colons in URL passwords
merge_request:
author:
type: fixed
...@@ -58,7 +58,7 @@ module Gitlab ...@@ -58,7 +58,7 @@ module Gitlab
if raw_credentials.present? if raw_credentials.present?
url.sub!("#{raw_credentials}@", '') url.sub!("#{raw_credentials}@", '')
user, password = raw_credentials.split(':') user, _, password = raw_credentials.partition(':')
@credentials ||= { user: user.presence, password: password.presence } @credentials ||= { user: user.presence, password: password.presence }
end end
......
...@@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do ...@@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
context 'credentials in URL' do context 'credentials in URL' do
where(:url, :credentials) do where(:url, :credentials) do
'http://foo:bar@example.com' | { user: 'foo', password: 'bar' } 'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
'http://:bar@example.com' | { user: nil, password: 'bar' } 'http://:bar@example.com' | { user: nil, password: 'bar' }
'http://foo:@example.com' | { user: 'foo', password: nil } 'http://foo:@example.com' | { user: 'foo', password: nil }
'http://foo@example.com' | { user: 'foo', password: nil } 'http://foo@example.com' | { user: 'foo', password: nil }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment