Do not pass forbidden params to NotifyService

NotifyService doesn't need to know about some service params such as "controller" and "action"

Do not pass forbidden params to NotifyService
NotifyService doesn't need to know about some service params such as "controller" and "action"
d5b923d9 · Vitali Tatarintev · 8ef2d715 · d5b923d9 · d5b923d9
Commit d5b923d9 authored Sep 12, 2019 by Vitali Tatarintev
2 changed files
--- a/ee/app/controllers/projects/alerting/notifications_controller.rb
+++ b/ee/app/controllers/projects/alerting/notifications_controller.rb
@@ -19,6 +19,8 @@ module Projects

      private

+      FORBIDDEN_PARAMS = %w(controller action namespace_id project_id).freeze
+
      def project_without_auth
        @project ||= Project
          .find_by_full_path("#{params[:namespace_id]}/#{params[:project_id]}")
@@ -34,7 +36,7 @@ module Projects

      def notify_service
        Projects::Alerting::NotifyService
-          .new(project, current_user, params.permit!)
+          .new(project, current_user, permitted_params)
      end

      def response_status(result)
@@ -47,6 +49,10 @@ module Projects
          :ok
        end
      end
+
+      def permitted_params
+        params.reject! { |param| param.in?(FORBIDDEN_PARAMS) }.permit!
+      end
    end
  end
 end
--- a/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
+++ b/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
@@ -15,7 +15,7 @@ describe Projects::Alerting::NotificationsController do
    end

    def make_request(opts = {})
-      post :create, params: project_params, session: { as: :json }
+      post :create, params: project_params(opts), session: { as: :json }
    end

    context 'when feature flag is on' do
@@ -24,11 +24,27 @@ describe Projects::Alerting::NotificationsController do
      end

      context 'when notification service succeeds' do
+        let(:payload) do
+          {
+            title: 'Alert title',
+            hosts: 'https://gitlab.com'
+          }
+        end
+        let(:permitted_params) { ActionController::Parameters.new(payload).permit! }
+
        it 'responds with ok' do
          make_request

          expect(response).to have_gitlab_http_status(:ok)
        end
+
+        it 'does not pass forbidden parameters to the notify service' do
+          make_request(payload)
+
+          expect(Projects::Alerting::NotifyService)
+            .to have_received(:new)
+            .with(project, nil, permitted_params)
+        end
      end

      context 'when notification service fails' do