Fix credentials detection for UrlSanitizer

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/347562 **Problem** We ignore raw credentials from URL if credentials are explicitly provided as a hash to UrlSantizer.new(url, credentials: { user: <user>, password: <password> }). **Solution** Collect credentials from both URL and credentials hash. Values from credentials hash have preference. Changelog: fixed

Fix credentials detection for UrlSanitizer
Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/347562 **Problem** We ignore raw credentials from URL if credentials are explicitly provided as a hash to UrlSantizer.new(url, credentials: { user: <user>, password: <password> }). **Solution** Collect credentials from both URL and credentials hash. Values from credentials hash have preference. Changelog: fixed
7197ccad · Vasilii Iakliushin · 39da3930 · 7197ccad · 7197ccad · 7197ccad
Commit 7197ccad authored Mar 22, 2022 by Vasilii Iakliushin
3 changed files
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -71,7 +71,10 @@ module Gitlab
        url.sub!("#{raw_credentials}@", '')

        user, _, password = raw_credentials.partition(':')
-        @credentials ||= { user: user.presence, password: password.presence }
+
+        @credentials ||= {}
+        @credentials[:user] = user.presence if @credentials[:user].blank?
+        @credentials[:password] = password.presence if @credentials[:password].blank?
      end

      url = Addressable::URI.parse(url)

--- a/spec/controllers/concerns/import_url_params_spec.rb
+++ b/spec/controllers/concerns/import_url_params_spec.rb
@@ -55,4 +55,22 @@ RSpec.describe ImportUrlParams do
      end
    end
  end
+
+  context 'url with provided mixed credentials' do
+    let(:params) do
+      ActionController::Parameters.new(project: {
+        import_url: 'https://user@url.com',
+        import_url_user: '', import_url_password: 'password'
+      })
+    end
+
+    describe '#import_url_params' do
+      it 'returns import_url built from both url and hash credentials' do
+        expect(import_url_params).to eq(
+          import_url: 'https://user:password@url.com',
+          import_type: 'git'
+        )
+      end
+    end
+  end
 end
--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -139,6 +139,23 @@ RSpec.describe Gitlab::UrlSanitizer do
        it { is_expected.to eq(credentials) }
      end
    end
+
+    context 'with mixed credentials' do
+      where(:url, :credentials, :result) do
+        'http://a@example.com'   | { password: 'd' } | { user: 'a', password: 'd' }
+        'http://a:b@example.com' | { password: 'd' } | { user: 'a', password: 'd' }
+        'http://:b@example.com'  | { password: 'd' } | { user: nil, password: 'd' }
+        'http://a@example.com'   | { user: 'c' }     | { user: 'c', password: nil }
+        'http://a:b@example.com' | { user: 'c' }     | { user: 'c', password: 'b' }
+        'http://a:b@example.com' | { user: '' }      | { user: 'a', password: 'b' }
+      end
+
+      with_them do
+        subject { described_class.new(url, credentials: credentials).credentials }
+
+        it { is_expected.to eq(result) }
+      end
+    end
  end

  describe '#user' do