Denial of service on repo settings via repo mirroring

HackerOne report #667398 by xanbanx on 2019-08-05, assigned to jmatos_bgtvf:

Summary

I found a DOS vulnerability making the repository settings of a project unavailable. By crafting an invalid URL, the repository settings page becomes unavailable for everyone.

Steps to reproduce

1. Create a repo
2. Go to the repository settings page
3. In the Mirror a repository section add a new mirror repo with the url: https://ferrari-view.4me.it/view-share/playerp/?plContext=http://ferrari-%201363948628-stream.4mecloud.it/live/ferrari/ngrp:livegenita/manifest.f4m&cartellaConfig=http://ferrari-4me.weebo.it/static/player/config/&cartellaLingua=http://ferrari-4me.weebo.it/static/player/config/&poster=http://pusher.newvision.it:8080/resources/img1.jpg&urlSkin=http://ferrari-4me.weebo.it/static/player/swf/skin.swf?a=1363014732171&method=GET&target_url=http://ferrari-4me.weebo.it/static/player/swf/player.swf&userLanguage=IT&styleTextColor=#000000&autoPlay=true&bufferTime=2&isLive=true&highlightColor=#eb2323&gaTrackerList=UA-23603234-4
4. This creates an immediate 500 error

However, the repository settings page is not accessible anymore and any further requests yield a 500 error again.

Impact

This is a DoS of the repository settings page. The problem here, is that the repo mirror cannot be deleted anymore, making the repo settings page inaccessible forever. The only way to remove the invalid mirror would using a direct access to the rails console or the database. This is of course not easy for public instances.

What is the current bug behavior?

After adding an invalid URL for the repo mirror the repo settings page becomes unavailable.

What is the expected correct behavior?

The app should reject invalid repo mirror urls.

Relevant logs and/or screenshots

bad URI(is not URI?): is raised in safe_urlapp/models/remote_mirror.rb:174. Either the URL needs to be encoded or the exception needs to be catched.

Impact

See above.