escape user ID when forming URL

lib/omniauth/strategies/slack.rb

@@ -1,4 +1,6 @@
 require 'omniauth/strategies/oauth2'
+require 'uri'
+require 'rack/utils'
 
 module OmniAuth
   module Strategies
@@ -69,7 +71,11 @@ def raw_info
       end
 
       def user_info
-        @user_info ||= access_token.get("/api/users.info?user=#{raw_info['user_id']}").parsed
+        url = URI.parse("/api/users.info")
+        url.query = Rack::Utils.build_query(user: raw_info['user_id'])
+        url = url.to_s
+
+        @user_info ||= access_token.get(url).parsed
       end
 
       def team_info

test/test.rb

@@ -100,6 +100,30 @@ def setup
 end
 
 class UserInfoTest < StrategyTestCase
+
+  def setup
+    super
+    @access_token = stub("OAuth2::AccessToken")
+    strategy.stubs(:access_token).returns(@access_token)
+  end
+
+  test "performs a GET to https://slack.com/api/users.info" do
+    strategy.stubs(:raw_info).returns("user_id" => "U123")
+    @access_token.expects(:get).with("/api/users.info?user=U123")
+      .returns(stub_everything("OAuth2::Response"))
+    strategy.user_info
+  end
+
+  test "URI escapes user ID" do
+    strategy.stubs(:raw_info).returns("user_id" => "../haxx?U123#abc")
+    @access_token.expects(:get).with("/api/users.info?user=..%2Fhaxx%3FU123%23abc")
+      .returns(stub_everything("OAuth2::Response"))
+    strategy.user_info
+  end
+end
+
+class SkipInfoTest < StrategyTestCase
+
   test 'info should not include extended info when skip_info is specified' do
     @options = { skip_info: true }
     strategy.stubs(:raw_info).returns({})
@@ -112,4 +136,5 @@ class UserInfoTest < StrategyTestCase
     strategy.stubs(:webhook_info).returns({})
     assert_equal %w[raw_info web_hook_info], strategy.extra.keys.map(&:to_s)
   end
+
 end