Merge pull request #2614 from git-lfs/skip-invalid-urls

reject invalid urls immediately

lfsapi/client.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -19,10 +20,13 @@ import (
 	"github.com/rubyist/tracerx"
 )
 
-var UserAgent = "git-lfs"
-
 const MediaType = "application/vnd.git-lfs+json; charset=utf-8"
 
+var (
+	UserAgent = "git-lfs"
+	httpRE    = regexp.MustCompile(`\Ahttps?://`)
+)
+
 func (c *Client) NewRequest(method string, e Endpoint, suffix string, body interface{}) (*http.Request, error) {
 	sshRes, err := c.SSH.Resolve(e, method)
 	if err != nil {
@@ -41,6 +45,11 @@ func (c *Client) NewRequest(method string, e Endpoint, suffix string, body inter
 		prefix = sshRes.Href
 	}
 
+	if !httpRE.MatchString(prefix) {
+		urlfragment := strings.SplitN(prefix, "?", 2)[0]
+		return nil, fmt.Errorf("missing protocol: %q", urlfragment)
+	}
+
 	req, err := http.NewRequest(method, joinURL(prefix, suffix), nil)
 	if err != nil {
 		return req, err

tq/adapterbase.go

@@ -3,6 +3,8 @@ package tq
 import (
 	"fmt"
 	"net/http"
+	"regexp"
+	"strings"
 	"sync"
 
 	"github.com/git-lfs/git-lfs/lfsapi"
@@ -185,7 +187,14 @@ func (a *adapterBase) worker(workerNum int, ctx interface{}) {
 	a.workerWait.Done()
 }
 
+var httpRE = regexp.MustCompile(`\Ahttps?://`)
+
 func (a *adapterBase) newHTTPRequest(method string, rel *Action) (*http.Request, error) {
+	if !httpRE.MatchString(rel.Href) {
+		urlfragment := strings.SplitN(rel.Href, "?", 2)[0]
+		return nil, fmt.Errorf("missing protocol: %q", urlfragment)
+	}
+
 	req, err := http.NewRequest(method, rel.Href, nil)
 	if err != nil {
 		return nil, err