Merge branch 'use_strong_parameters_for_project_controller' into 'master'

Use StrongParameters for ProjectsController See merge request gitlab-org/gitlab!79956

Merge branch 'use_strong_parameters_for_project_controller' into 'master'
Use StrongParameters for ProjectsController See merge request gitlab-org/gitlab!79956
9d2b981f · Dylan Griffith · 802e07a9 · 06c8a4e5 · 9d2b981f · 9d2b981f
Commit 9d2b981f authored Feb 09, 2022 by Dylan Griffith
3 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -285,7 +285,7 @@ class ProjectsController < Projects::ApplicationController

  # rubocop: disable CodeReuse/ActiveRecord
  def refs
-    find_refs = params['find']
+    find_refs = refs_params['find']

    find_branches = true
    find_tags = true
@@ -300,13 +300,13 @@ class ProjectsController < Projects::ApplicationController
    options = {}

    if find_branches
-      branches = BranchesFinder.new(@repository, params).execute.take(100).map(&:name)
+      branches = BranchesFinder.new(@repository, refs_params).execute.take(100).map(&:name)
      options['Branches'] = branches
    end

    if find_tags && @repository.tag_count.nonzero?
      tags = begin
-        TagsFinder.new(@repository, params).execute
+        TagsFinder.new(@repository, refs_params).execute
      rescue Gitlab::Git::CommandError
        []
      end
@@ -315,7 +315,7 @@ class ProjectsController < Projects::ApplicationController
    end

    # If reference is commit id - we should add it to branch/tag selectbox
-    ref = Addressable::URI.unescape(params[:ref])
+    ref = Addressable::URI.unescape(refs_params[:ref])
    if find_commits && ref && options.flatten(2).exclude?(ref) && ref =~ /\A[0-9a-zA-Z]{6,52}\z/
      options['Commits'] = [ref]
    end
@@ -344,6 +344,14 @@ class ProjectsController < Projects::ApplicationController

  private

+  def refs_params
+    if Feature.enabled?(:strong_parameters_for_project_controller, @project, default_enabled: :yaml)
+      params.permit(:search, :sort, :ref, find: [])
+    else
+      params
+    end
+  end
+
  # Render project landing depending of which features are available
  # So if page is not available in the list it renders the next page
  #

--- a/config/feature_flags/development/strong_parameters_for_project_controller.yml
+++ b/config/feature_flags/development/strong_parameters_for_project_controller.yml
+---
+name: strong_parameters_for_project_controller
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79956
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/352251
+milestone: '14.8'
+type: development
+group: group::source code
+default_enabled: false
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -1202,6 +1202,26 @@ RSpec.describe ProjectsController do
        end
      end
    end
+
+    context 'when input params are invalid' do
+      let(:request) { get :refs, params: { namespace_id: project.namespace, id: project, ref: { invalid: :format } } }
+
+      it 'does not break' do
+        request
+
+        expect(response).to have_gitlab_http_status(:success)
+      end
+
+      context 'when "strong_parameters_for_project_controller" FF is disabled' do
+        before do
+          stub_feature_flags(strong_parameters_for_project_controller: false)
+        end
+
+        it 'raises an exception' do
+          expect { request }.to raise_error(TypeError)
+        end
+      end
+    end
  end

  describe 'POST #preview_markdown' do