Merge pull request #17766 from Homebrew/fix-formula-uri-loader

FormulaURILoader: use regex to validate refs before attempting to cast

Library/Homebrew/formulary.rb

@@ -696,9 +696,20 @@ module Formulary
         .returns(T.nilable(T.attached_class))
     }
     def self.try_new(ref, from: T.unsafe(nil), warn: false)
-      ref = ref.to_s
+      # Cache compiled regex
+      @uri_regex ||= begin
+        uri_regex = ::URI::DEFAULT_PARSER.make_regexp
+        Regexp.new("\\A#{uri_regex.source}\\Z", uri_regex.options)
+      end
 
-      new(ref, from:) if URI(ref).scheme.present?
+      uri = ref.to_s
+      return unless uri.match?(@uri_regex)
+
+      uri = URI(uri)
+      return unless uri.path
+      return unless uri.scheme.present?
+
+      new(uri, from:)
     end
 
     attr_reader :url

Library/Homebrew/test/formulary_spec.rb

@@ -555,6 +555,14 @@ RSpec.describe Formulary do
         end.not_to raise_error(UnsupportedInstallationMethod)
       end
     end
+
+    context "when passed ref with spaces" do
+      it "raises a FormulaUnavailableError error" do
+        expect do
+          described_class.factory("foo bar")
+        end.to raise_error(FormulaUnavailableError)
+      end
+    end
   end
 
   specify "::from_contents" do