Hardens custom avatar URL against email-driven URL injection

sergeibbb · sergeibbb · commit 61a9bf9e1676 · 2026-05-29T02:25:54.000+02:00
Commit emails are attacker-controllable, so identity values interpolated into a `gitlens.remotes` `avatar` template must not be allowed to inject URL-structural characters. `encodeUrl` uses `encodeURI`, which preserves `/`, `?`, `#`, `@`, and `:`, so a crafted email could previously bend the resulting avatar URL's path, query, or fragment. - Component-encodes `${email}`, `${emailName}`, and `${domain}` before interpolation - Splits on the last `@` so RFC 5322 local-parts containing `@` are preserved (and `domain` can't be truncated by a multi-`@` email) - Drops `getContext(...)` and the outer `encodeUrl(...)` — only the four documented tokens are relevant for an avatar URL, and every substituted value is now pre-encoded (#5155)
diff --git a/packages/git/src/remotes/custom.ts b/packages/git/src/remotes/custom.ts
@@ -36,16 +36,22 @@ export class CustomRemoteProvider extends RemoteProvider {
 	}
 
 	getUrlForAvatar(email: string, size: number): string | undefined {
-		if (this.urls.avatar != null) {
-			const [emailName, domain] = email.split('@');
-			return this.encodeUrl(
-				interpolate(
-					this.urls.avatar,
-					this.getContext({ emailName: emailName, domain: domain, email: email, size: String(size) }),
-				),
-			);
-		}
-		return undefined;
+		if (this.urls.avatar == null) return undefined;
+
+		// Split on the last `@` so local-parts that contain `@` are preserved (per RFC 5322)
+		const at = email.lastIndexOf('@');
+		const emailName = at === -1 ? email : email.slice(0, at);
+		const domain = at === -1 ? '' : email.slice(at + 1);
+
+		// Component-encode identity values — commit emails are attacker-controllable and
+		// must never be able to inject URL-structural characters (`/`, `?`, `#`, ...) into the
+		// resulting URL
+		return interpolate(this.urls.avatar, {
+			email: encodeURIComponent(email),
+			emailName: encodeURIComponent(emailName),
+			domain: encodeURIComponent(domain),
+			size: String(size),
+		});
 	}
 
 	protected override getUrlForRepository(): string {
