Fix 500 errors entering a webhook URL not encoded (!51109) · Merge requests · GitLab.org / GitLab

Arturo Herrero requested to merge 222970-207742-fix-500-webhooks-urls-not-encoded into master Jan 07, 2021

What does this MR do?

This fixes 500 errors entering a webhook URL not encoded.

The problem

# This raises an error
URI.parse('http://server.com/my path/')
URI::InvalidURIError: bad URI(is not URI?): "http://server.com/my path/"

# Escape the user's input works
URI.parse(Addressable::URI.escape('http://server.com/my path/'))
=> #<URI::HTTP http://server.com/my%20path/>

# But if the user's input is already escaped, we have a double escaping problem
URI.parse(Addressable::URI.escape('http://server.com/my%20path/'))
=> #<URI::HTTP http://server.com/my%2520path/>

Solution

We are already recommending to the users to use encoded parameters, eg. from API documentation https://docs.gitlab.com/ee/api/repository_submodules.html#update-existing-submodule-reference-in-repository

The ID or URL-encoded path of the project owned by the authenticated user

In this case, the approach should be the same. The user should enter a URL-encoded to avoid any problem. Webhooks is a feature where the users normally have advance knowledge, so the error messages here are not filtered for any exception, same for URI::InvalidURIError, eg:

Related to #222970 (closed) and #207742 (closed)

Edited Jan 07, 2021 by Arturo Herrero

Fix 500 errors entering a webhook URL not encoded

What does this MR do?

The problem

Solution

Merge request reports