Merge branch 'security-11-6-57227-absolute-uri-missing-hierarchical-segment' into '11-6-stable'

Catch possible Addressable::URI::InvalidURIError See merge request gitlab/gitlabhq!2966

Merge branch 'security-11-6-57227-absolute-uri-missing-hierarchical-segment' into '11-6-stable'
8ddd1158 · Yorick Peterse · 2030ca98 · c360384c · 8ddd1158 · 8ddd1158
Commit 8ddd1158 authored 6 years ago by Yorick Peterse
--- a/changelogs/unreleased/57227-absolute-uri-missing-hierarchical-segment.yml
+++ b/changelogs/unreleased/57227-absolute-uri-missing-hierarchical-segment.yml
+---
+title: Fix potential Addressable::URI::InvalidURIError
+merge_request:
+author:
+type: security
--- a/lib/banzai/filter/autolink_filter.rb
+++ b/lib/banzai/filter/autolink_filter.rb
@@ -114,7 +114,11 @@ module Banzai
        # Since this came from a Text node, make sure the new href is encoded.
        # `commonmarker` percent encodes the domains of links it handles, so
        # do the same (instead of using `normalized_encode`).
-        href_safe = Addressable::URI.encode(match).html_safe
+        begin
+          href_safe = Addressable::URI.encode(match).html_safe
+        rescue Addressable::URI::InvalidURIError
+          return uri.to_s
+        end
  
        html_safe_match = match.html_safe
        options         = link_options.merge(href: href_safe)

--- a/spec/lib/banzai/filter/autolink_filter_spec.rb
+++ b/spec/lib/banzai/filter/autolink_filter_spec.rb
@@ -121,6 +121,13 @@ describe Banzai::Filter::AutolinkFilter do
      expect(doc.to_s).to eq("See #{link}")
    end
  
+    it 'does not autolink bad URLs after we remove trailing punctuation' do
+      link = 'http://]'
+      doc = filter("See #{link}")
+
+      expect(doc.to_s).to eq("See #{link}")
+    end
+
    it 'does not include trailing punctuation' do
      ['.', ', ok?', '...', '?', '!', ': is that ok?'].each do |trailing_punctuation|
        doc = filter("See #{link}#{trailing_punctuation}")