octokit.rb
octokit.rb copied to clipboard
Certain valid characters in refs aren't being escaped properly
Certain valid characters in git branch names aren't being escaped properly, leading to a failure to fetch them. A good example is #
, which will obviously break API calls if passed through without escaping.
This was broken by #1006. URI::Parser
handles this correctly, escaping #
to %23
, while Addressable::URI
leaves it as #
. Versions of Octokit from 4.9.0 to current git HEAD are affected.
Steps to reproduce:
- Create and push up a branch named
foo#bar
- Using Octokit, run
client.branch("myrepo", "foo#bar")
Expected results:
Octokit fetches the branch and returns metadata.
Actual results:
Octokit returns a 404.
I double checked this using curl and got the same results, so it looks like it might be a problem with the API itself.
For example, trying
curl -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/octopup/api-sandbox/branches/test#this
returns:
{
"message": "Branch not found",
"documentation_url": "https://developer.github.com/v3/repos/branches/#get-branch"
}
Although I can see the branch test#this
under curl -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/octopup/api-sandbox/branches
and the other branches like master work as expected.
Additionally, escaping it directly works as expected:
curl -H "Authorization: token $GITHUB_TOKEN" https://api.github.com/repos/octopup/api-sandbox/branches/test%23this
@hmharvey I believe that's expected. Because of how URL routing works, anything past a literal #
doesn't make its way into the server to the app. #
always needs to be encoded in order to be used in URLs like this.