From d314a6839405f025b0425802f339dc690ced0f33 Mon Sep 17 00:00:00 2001
From: Kimura <kimura@enigmo.co.jp>
Date: Wed, 6 Jan 2016 11:14:15 +0900
Subject: [PATCH] escape user ID when forming URL

---
 lib/omniauth/strategies/slack.rb |  8 +++++++-
 test/test.rb                     | 25 +++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/lib/omniauth/strategies/slack.rb b/lib/omniauth/strategies/slack.rb
index 56cd0d8..948ca05 100644
--- a/lib/omniauth/strategies/slack.rb
+++ b/lib/omniauth/strategies/slack.rb
@@ -1,4 +1,6 @@
 require 'omniauth/strategies/oauth2'
+require 'uri'
+require 'rack/utils'
 
 module OmniAuth
   module Strategies
@@ -69,7 +71,11 @@ def raw_info
       end
 
       def user_info
-        @user_info ||= access_token.get("/api/users.info?user=#{raw_info['user_id']}").parsed
+        url = URI.parse("/api/users.info")
+        url.query = Rack::Utils.build_query(user: raw_info['user_id'])
+        url = url.to_s
+
+        @user_info ||= access_token.get(url).parsed
       end
 
       def team_info
diff --git a/test/test.rb b/test/test.rb
index cc545c6..1a413d9 100644
--- a/test/test.rb
+++ b/test/test.rb
@@ -100,6 +100,30 @@ def setup
 end
 
 class UserInfoTest < StrategyTestCase
+
+  def setup
+    super
+    @access_token = stub("OAuth2::AccessToken")
+    strategy.stubs(:access_token).returns(@access_token)
+  end
+
+  test "performs a GET to https://slack.com/api/users.info" do
+    strategy.stubs(:raw_info).returns("user_id" => "U123")
+    @access_token.expects(:get).with("/api/users.info?user=U123")
+      .returns(stub_everything("OAuth2::Response"))
+    strategy.user_info
+  end
+
+  test "URI escapes user ID" do
+    strategy.stubs(:raw_info).returns("user_id" => "../haxx?U123#abc")
+    @access_token.expects(:get).with("/api/users.info?user=..%2Fhaxx%3FU123%23abc")
+      .returns(stub_everything("OAuth2::Response"))
+    strategy.user_info
+  end
+end
+
+class SkipInfoTest < StrategyTestCase
+
   test 'info should not include extended info when skip_info is specified' do
     @options = { skip_info: true }
     strategy.stubs(:raw_info).returns({})
@@ -112,4 +136,5 @@ class UserInfoTest < StrategyTestCase
     strategy.stubs(:webhook_info).returns({})
     assert_equal %w[raw_info web_hook_info], strategy.extra.keys.map(&:to_s)
   end
+
 end