Commit 764f2678 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'raise-on-unfiltered-params' into 'master'

Set ActionController raise_on_unfiltered_parameters to true

See merge request gitlab-org/gitlab-ce!24443
parents 93a93174 4724afa0
...@@ -4,19 +4,19 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController ...@@ -4,19 +4,19 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
include LfsRequest include LfsRequest
def create def create
@result = Lfs::LockFileService.new(project, user, params).execute @result = Lfs::LockFileService.new(project, user, lfs_params).execute
render_json(@result[:lock]) render_json(@result[:lock])
end end
def unlock def unlock
@result = Lfs::UnlockFileService.new(project, user, params).execute @result = Lfs::UnlockFileService.new(project, user, lfs_params).execute
render_json(@result[:lock]) render_json(@result[:lock])
end end
def index def index
@result = Lfs::LocksFinderService.new(project, user, params).execute @result = Lfs::LocksFinderService.new(project, user, lfs_params).execute
render_json(@result[:locks]) render_json(@result[:locks])
end end
...@@ -69,4 +69,8 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController ...@@ -69,4 +69,8 @@ class Projects::LfsLocksApiController < Projects::GitHttpClientController
def upload_request? def upload_request?
%w(create unlock verify).include?(params[:action]) %w(create unlock verify).include?(params[:action])
end end
def lfs_params
params.permit(:id, :path, :force)
end
end end
...@@ -32,7 +32,7 @@ module MembersHelper ...@@ -32,7 +32,7 @@ module MembersHelper
end end
def filter_group_project_member_path(options = {}) def filter_group_project_member_path(options = {})
options = params.slice(:search, :sort).merge(options) options = params.slice(:search, :sort).merge(options).permit!
"#{request.path}?#{options.to_param}" "#{request.path}?#{options.to_param}"
end end
end end
...@@ -5,7 +5,7 @@ module Projects ...@@ -5,7 +5,7 @@ module Projects
include Gitlab::Utils::StrongMemoize include Gitlab::Utils::StrongMemoize
def initialize(user, params) def initialize(user, params)
@current_user, @params = user, params.dup @current_user, @params = user, params.to_h.dup
end end
def execute def execute
......
---
title: Actually set raise_on_unfiltered_parameters to true
merge_request: 24443
author: Jasper Maes
type: other
...@@ -162,6 +162,9 @@ module Gitlab ...@@ -162,6 +162,9 @@ module Gitlab
config.action_view.sanitized_allowed_protocols = %w(smb) config.action_view.sanitized_allowed_protocols = %w(smb)
# Can be removed once upgraded to Rails 5.1 or higher
config.action_controller.raise_on_unfiltered_parameters = true
# Nokogiri is significantly faster and uses less memory than REXML # Nokogiri is significantly faster and uses less memory than REXML
ActiveSupport::XmlMini.backend = 'Nokogiri' ActiveSupport::XmlMini.backend = 'Nokogiri'
......
...@@ -8,8 +8,6 @@ ...@@ -8,8 +8,6 @@
# #
# Read the Guide for Upgrading Ruby on Rails for more info on each option. # Read the Guide for Upgrading Ruby on Rails for more info on each option.
Rails.application.config.action_controller.raise_on_unfiltered_parameters = true
# Enable per-form CSRF tokens. Previous versions had false. # Enable per-form CSRF tokens. Previous versions had false.
Rails.application.config.action_controller.per_form_csrf_tokens = false Rails.application.config.action_controller.per_form_csrf_tokens = false
......
...@@ -132,6 +132,17 @@ describe 'Git LFS File Locking API' do ...@@ -132,6 +132,17 @@ describe 'Git LFS File Locking API' do
expect(json_response['lock'].keys).to match_array(%w(id path locked_at owner)) expect(json_response['lock'].keys).to match_array(%w(id path locked_at owner))
end end
context 'when a maintainer uses force' do
let(:authorization) { authorize_user(maintainer) }
it 'deletes the lock' do
project.add_maintainer(maintainer)
post_lfs_json url, { force: true }, headers
expect(response).to have_gitlab_http_status(200)
end
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment