🐞 v3: Don't 500 UAA Client GUIDS with exotic chars

- Creating a user who happens a UAA client allows setting the GUID
- The GUID can be set to an arbitrary set of characters, e.g.
  `+(select*from(select(sleep(20)))a)+`
- [note: the previous SQL injection attempt did not work, and does
  not work]
- The character is properly created, but can no longer be retrieved
  via `GET /v3/users/:guid`; CAPI returns a 500
- We now `CGI.escape()` the GUID to prevent `URI::HTTP.build` from
  throwing an error when we format its link URL (in `ApiUrlBuilder`)

[finishes #172744797]

Co-authored-by: Brian Cunnie <bcunnie@pivotal.io>
Co-authored-by: Reid Mitchell <rmitchell@pivotal.io>

Author: reidmit

app/presenters/v3/user_presenter.rb

@@ -41,7 +41,7 @@ def user
     def build_links
       {
         self: {
-          href: url_builder.build_url(path: "/v3/users/#{user.guid}")
+          href: url_builder.build_url(path: "/v3/users/#{CGI.escape(user.guid)}")
         }
       }
     end

spec/request/users_spec.rb

@@ -455,6 +455,21 @@
         end
       end
     end
+
+    context 'when the user has a guid with strange characters' do
+      let(:weird_user) { VCAP::CloudController::User.make(guid: 'weird-/(%)') }
+
+      before do
+        allow(uaa_client).to receive(:users_for_ids).with([weird_user.guid]).and_return({})
+      end
+
+      it 'returns the user successfully' do
+        get "/v3/users/#{CGI.escape(weird_user.guid)}", nil, admin_headers
+        expect(last_response).to have_status_code(200)
+        expect(parsed_response['guid']).to eq('weird-/(%)')
+        expect(parsed_response['links']['self']['href']).to eq(link_prefix + '/v3/users/' + CGI.escape(weird_user.guid))
+      end
+    end
   end
 
   describe 'POST /v3/users' do