Commit b5d792d5 authored by Vasilii Iakliushin's avatar Vasilii Iakliushin

Use strong parameters for CommitsController

Sentry error:
https://sentry.gitlab.net/gitlab/gitlabcom/issues/3161031

Changelog: fixed
parent 63a7d839
...@@ -67,11 +67,11 @@ class Projects::CommitsController < Projects::ApplicationController ...@@ -67,11 +67,11 @@ class Projects::CommitsController < Projects::ApplicationController
def set_commits def set_commits
render_404 unless @path.empty? || request.format == :atom || @repository.blob_at(@commit.id, @path) || @repository.tree(@commit.id, @path).entries.present? render_404 unless @path.empty? || request.format == :atom || @repository.blob_at(@commit.id, @path) || @repository.tree(@commit.id, @path).entries.present?
limit = params[:limit].to_i limit = permitted_params[:limit].to_i
@limit = limit > 0 ? limit : COMMITS_DEFAULT_LIMIT # limit can only ever be a positive number @limit = limit > 0 ? limit : COMMITS_DEFAULT_LIMIT # limit can only ever be a positive number
@offset = (params[:offset] || 0).to_i @offset = (permitted_params[:offset] || 0).to_i
search = params[:search] search = permitted_params[:search]
author = params[:author] author = permitted_params[:author]
@commits = @commits =
if search.present? if search.present?
...@@ -87,4 +87,8 @@ class Projects::CommitsController < Projects::ApplicationController ...@@ -87,4 +87,8 @@ class Projects::CommitsController < Projects::ApplicationController
@commits = @commits.with_latest_pipeline(@ref) @commits = @commits.with_latest_pipeline(@ref)
@commits = set_commits_for_rendering(@commits) @commits = set_commits_for_rendering(@commits)
end end
def permitted_params
params.permit(:limit, :offset, :search, :author)
end
end end
...@@ -88,6 +88,26 @@ RSpec.describe Projects::CommitsController do ...@@ -88,6 +88,26 @@ RSpec.describe Projects::CommitsController do
expect(response).to be_successful expect(response).to be_successful
end end
context 'when limit is a hash' do
it 'uses the default limit' do
expect_any_instance_of(Repository).to receive(:commits).with(
"master",
path: "README.md",
limit: described_class::COMMITS_DEFAULT_LIMIT,
offset: 0
).and_call_original
get(:show, params: {
namespace_id: project.namespace,
project_id: project,
id: id,
limit: { 'broken' => 'value' }
})
expect(response).to be_successful
end
end
end end
context "when the ref name ends in .atom" do context "when the ref name ends in .atom" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment