Merge branch '289836_monkey_patch_net_http_proxy_crendetial_encoding' into 'master'

Monkey patch Net::HTTP proxy encoding

See merge request gitlab-org/gitlab!52368

changelogs/unreleased/289836_monkey_patch_net_http_proxy_crendetial_encoding.yml

+---
+title: Fix Net::HTTP proxy encoding username and password
+merge_request: 52368
+author:
+type: fixed

config/initializers/net_http_patch.rb

+# frozen_string_literal: true
+
+# Monkey patch Net::HTTP to fix missing URL decoding for username and password in proxy settings
+#
+# See proposed upstream fix https://github.com/ruby/net-http/pull/5
+# See Ruby-lang issue https://bugs.ruby-lang.org/issues/17542
+# See issue on GitLab https://gitlab.com/gitlab-org/gitlab/-/issues/289836
+
+module Net
+  class HTTP < Protocol
+    def proxy_user
+      if environment_variable_is_multiuser_safe? && @proxy_from_env
+        user = proxy_uri&.user
+        CGI.unescape(user) unless user.nil?
+      else
+        @proxy_user
+      end
+    end
+
+    def proxy_pass
+      if environment_variable_is_multiuser_safe? && @proxy_from_env
+        pass = proxy_uri&.password
+        CGI.unescape(pass) unless pass.nil?
+      else
+        @proxy_pass
+      end
+    end
+
+    def environment_variable_is_multiuser_safe?
+      ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE
+    end
+  end
+end

spec/initializers/net_http_patch_spec.rb

+# frozen_string_literal: true
+require 'fast_spec_helper'
+
+RSpec.describe 'Net::HTTP patch proxy user and password encoding' do
+  let(:net_http) { Net::HTTP.new('hostname.example') }
+
+  describe '#proxy_user' do
+    subject { net_http.proxy_user }
+
+    it { is_expected.to eq(nil) }
+
+    context 'with http_proxy env' do
+      let(:http_proxy) { 'http://proxy.example:8000' }
+
+      before do
+        allow(ENV).to receive(:[]).and_call_original
+        allow(ENV).to receive(:[]).with('http_proxy').and_return(http_proxy)
+      end
+
+      it { is_expected.to eq(nil) }
+
+      context 'and user:password authentication' do
+        let(:http_proxy) { 'http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000' }
+
+        context 'when on multiuser safe platform' do
+          # linux, freebsd, darwin are considered multi user safe platforms
+          # See https://github.com/ruby/net-http/blob/v0.1.1/lib/net/http.rb#L1174-L1178
+
+          before do
+            allow(net_http).to receive(:environment_variable_is_multiuser_safe?).and_return(true)
+          end
+
+          it { is_expected.to eq 'Y\\X' }
+        end
+
+        context 'when not on multiuser safe platform' do
+          before do
+            allow(net_http).to receive(:environment_variable_is_multiuser_safe?).and_return(false)
+          end
+
+          it { is_expected.to be_nil }
+        end
+      end
+    end
+  end
+
+  describe '#proxy_pass' do
+    subject { net_http.proxy_pass }
+
+    it { is_expected.to eq(nil) }
+
+    context 'with http_proxy env' do
+      let(:http_proxy) { 'http://proxy.example:8000' }
+
+      before do
+        allow(ENV).to receive(:[]).and_call_original
+        allow(ENV).to receive(:[]).with('http_proxy').and_return(http_proxy)
+      end
+
+      it { is_expected.to eq(nil) }
+
+      context 'and user:password authentication' do
+        let(:http_proxy) { 'http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000' }
+
+        context 'when on multiuser safe platform' do
+          # linux, freebsd, darwin are considered multi user safe platforms
+          # See https://github.com/ruby/net-http/blob/v0.1.1/lib/net/http.rb#L1174-L1178
+
+          before do
+            allow(net_http).to receive(:environment_variable_is_multiuser_safe?).and_return(true)
+          end
+
+          it { is_expected.to eq 'R%S] ?X' }
+        end
+
+        context 'when not on multiuser safe platform' do
+          before do
+            allow(net_http).to receive(:environment_variable_is_multiuser_safe?).and_return(false)
+          end
+
+          it { is_expected.to be_nil }
+        end
+      end
+    end
+  end
+end