Improve Kroki URL validation

8070454c · Guillaume Grossetie · 03bf6b38 · 8070454c
Commit 8070454c authored Nov 25, 2020 by Guillaume Grossetie
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

app/models/application_setting.rb app/models/application_setting.rb +7 -6

No files found.
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -132,11 +132,7 @@ class ApplicationSetting < ApplicationRecord
            if: :unique_ips_limit_enabled

  validates :kroki_url,
-            system_hook_url: {
-                blocked_message: "is blocked: %{exception_message}. " + KROKI_URL_ERROR_MESSAGE
-            },
-            presence: true,
-            if: :kroki_url_absolute?
+            presence: { if: :kroki_enabled }

  validate :validate_kroki_url, if: :kroki_enabled

@@ -520,7 +516,12 @@ class ApplicationSetting < ApplicationRecord
  end

  def parsed_kroki_url
-    @parsed_kroki_url ||= Gitlab::Utils.parse_url(kroki_url)
+    @parsed_kroki_url ||= Gitlab::UrlBlocker.validate!(kroki_url, schemes: %w(http https), enforce_sanitization: true)[0]
+  rescue Gitlab::UrlBlocker::BlockedUrlError => error
+    self.errors.add(
+      :kroki_url,
+      "is not valid. #{error}"
+    )
  end

  def validate_url(parsed_url, name, error_message)