Do not pass forbidden params to NotifyService

NotifyService doesn't need to know about some service params such as "controller" and "action"

Do not pass forbidden params to NotifyService
NotifyService doesn't need to know about some service params such as "controller" and "action"
d5b923d9 · Vitali Tatarintev · 8ef2d715 · d5b923d9 · d5b923d9
Commit d5b923d9 authored Sep 12, 2019 by Vitali Tatarintev
2 changed files
--- a/ee/app/controllers/projects/alerting/notifications_controller.rb
+++ b/ee/app/controllers/projects/alerting/notifications_controller.rb
@@ -19,6 +19,8 @@ module Projects
      private
+      FORBIDDEN_PARAMS = %w(controller action namespace_id project_id).freeze
      def project_without_auth
        @project ||= Project
          .find_by_full_path("#{params[:namespace_id]}/#{params[:project_id]}")
@@ -34,7 +36,7 @@ module Projects
      def notify_service
        Projects::Alerting::NotifyService
-          .new(project, current_user, params.permit!)
+          .new(project, current_user, permitted_params)
      end
      def response_status(result)
@@ -47,6 +49,10 @@ module Projects
          :ok
        end
      end
+      def permitted_params
+        params.reject! { |param| param.in?(FORBIDDEN_PARAMS) }.permit!
+      end
    end
  end
 end
--- a/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
+++ b/ee/spec/controllers/projects/alerting/notifications_controller_spec.rb
@@ -15,7 +15,7 @@ describe Projects::Alerting::NotificationsController do
    end
    def make_request(opts = {})
-      post :create, params: project_params, session: { as: :json }
+      post :create, params: project_params(opts), session: { as: :json }
    end
    context 'when feature flag is on' do
@@ -24,11 +24,27 @@ describe Projects::Alerting::NotificationsController do
      end
      context 'when notification service succeeds' do
+        let(:payload) do
+          {
+            title: 'Alert title',
+            hosts: 'https://gitlab.com'
+          }
+        end
+        let(:permitted_params) { ActionController::Parameters.new(payload).permit! }
        it 'responds with ok' do
          make_request
          expect(response).to have_gitlab_http_status(:ok)
        end
+        it 'does not pass forbidden parameters to the notify service' do
+          make_request(payload)
+          expect(Projects::Alerting::NotifyService)
+            .to have_received(:new)
+            .with(project, nil, permitted_params)
+        end
      end
      context 'when notification service fails' do