SECURITY: Expand and improve SSRF Protections (#18815)

See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2025-05-23 11:41:03 +08:00 · 2022-11-01 16:33:17 +00:00
parent 695b44269b
commit 68b4fe4cf8
42 changed files with 1164 additions and 443 deletions
--- a/lib/git_url.rb
+++ b/lib/git_url.rb
@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module GitUrl
+  class << self
+    SSH_REGEXP = /(\w+@(\w+\.)*\w+):(.*)/
+
+    def normalize(url)
+      if m = SSH_REGEXP.match(url)
+        url = "ssh://#{m[1]}/#{m[3]}"
+      end
+
+      if url.start_with?("https://github.com/") && !url.end_with?(".git")
+        url = url.gsub(/\/$/, '')
+        url += ".git"
+      end
+
+      url
+    end
+  end
+end