Merge branch 'raise-on-unfiltered-params' into 'master'

Set ActionController raise_on_unfiltered_parameters to true See merge request gitlab-org/gitlab-ce!24443

Merge branch 'raise-on-unfiltered-params' into 'master'
Set ActionController raise_on_unfiltered_parameters to true See merge request gitlab-org/gitlab-ce!24443
764f2678 · Rémy Coutable · 93a93174 · 4724afa0 · 764f2678 · 764f2678
Commit 764f2678 authored Jan 21, 2019 by Rémy Coutable
7 changed files
--- a/app/controllers/projects/lfs_locks_api_controller.rb
+++ b/app/controllers/projects/lfs_locks_api_controller.rb
@@ -4,19 +4,19 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
  include LfsRequest
  def create
-    @result = Lfs::LockFileService.new(project, user, params).execute
+    @result = Lfs::LockFileService.new(project, user, lfs_params).execute
    render_json(@result[:lock])
  end
  def unlock
-    @result = Lfs::UnlockFileService.new(project, user, params).execute
+    @result = Lfs::UnlockFileService.new(project, user, lfs_params).execute
    render_json(@result[:lock])
  end
  def index
-    @result = Lfs::LocksFinderService.new(project, user, params).execute
+    @result = Lfs::LocksFinderService.new(project, user, lfs_params).execute
    render_json(@result[:locks])
  end
@@ -69,4 +69,8 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
  def upload_request?
    %w(create unlock verify).include?(params[:action])
  end
+  def lfs_params
+    params.permit(:id, :path, :force)
+  end
 end
--- a/app/helpers/members_helper.rb
+++ b/app/helpers/members_helper.rb
@@ -32,7 +32,7 @@ module MembersHelper
  end
  def filter_group_project_member_path(options = {})
-    options = params.slice(:search, :sort).merge(options)
+    options = params.slice(:search, :sort).merge(options).permit!
    "#{request.path}?#{options.to_param}"
  end
 end
--- a/app/services/projects/create_from_template_service.rb
+++ b/app/services/projects/create_from_template_service.rb
@@ -5,7 +5,7 @@ module Projects
    include Gitlab::Utils::StrongMemoize
    def initialize(user, params)
-      @current_user, @params = user, params.dup
+      @current_user, @params = user, params.to_h.dup
    end
    def execute

--- a/changelogs/unreleased/raise-on-unfiltered-params.yml
+++ b/changelogs/unreleased/raise-on-unfiltered-params.yml
+---
+title: Actually set raise_on_unfiltered_parameters to true
+merge_request: 24443
+author: Jasper Maes
+type: other
--- a/config/application.rb
+++ b/config/application.rb
@@ -162,6 +162,9 @@ module Gitlab
    config.action_view.sanitized_allowed_protocols = %w(smb)
+    # Can be removed once upgraded to Rails 5.1 or higher
+    config.action_controller.raise_on_unfiltered_parameters = true
    # Nokogiri is significantly faster and uses less memory than REXML
    ActiveSupport::XmlMini.backend = 'Nokogiri'

--- a/config/initializers/new_framework_defaults.rb
+++ b/config/initializers/new_framework_defaults.rb
@@ -8,8 +8,6 @@
 #
 # Read the Guide for Upgrading Ruby on Rails for more info on each option.
-Rails.application.config.action_controller.raise_on_unfiltered_parameters = true
 # Enable per-form CSRF tokens. Previous versions had false.
 Rails.application.config.action_controller.per_form_csrf_tokens = false

--- a/spec/requests/lfs_locks_api_spec.rb
+++ b/spec/requests/lfs_locks_api_spec.rb
@@ -132,6 +132,17 @@ describe 'Git LFS File Locking API' do
        expect(json_response['lock'].keys).to match_array(%w(id path locked_at owner))
      end
+      context 'when a maintainer uses force' do
+        let(:authorization) { authorize_user(maintainer) }
+        it 'deletes the lock' do
+          project.add_maintainer(maintainer)
+          post_lfs_json url, { force: true }, headers
+          expect(response).to have_gitlab_http_status(200)
+        end
+      end
    end
  end