Only accept POST request to trigger system hooks

Adding changelog for system hooks trigger

Adding the changelog file security-trigger-system-hook-by-post.yml

Added spec for POST request to system hooks

Remove GET request endpoints for system hooks

changelogs/unreleased/security-trigger-system-hook-by-post.yml

+---
+title: Require POST request to trigger system hooks
+merge_request:
+author:
+type: security

doc/api/system_hooks.md

@@ -88,7 +88,7 @@ Example response:
 ## Test system hook
 
 ```plaintext
-GET /hooks/:id
+POST /hooks/:id
 ```
 
 | Attribute | Type | Required | Description |
@@ -98,7 +98,7 @@ GET /hooks/:id
 Example request:
 
 ```shell
-curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/2"
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/hooks/1"
 ```
 
 Example response:

lib/api/system_hooks.rb

@@ -47,7 +47,7 @@ module API
       params do
         requires :id, type: Integer, desc: 'The ID of the system hook'
       end
-      get ":id" do
+      post ":id" do
         hook = SystemHook.find(params[:id])
         data = {
           event_name: "project_create",

spec/requests/api/system_hooks_spec.rb

@@ -103,15 +103,15 @@ RSpec.describe API::SystemHooks do
     end
   end
 
-  describe "GET /hooks/:id" do
-    it "returns hook by id" do
-      get api("/hooks/#{hook.id}", admin)
-      expect(response).to have_gitlab_http_status(:ok)
+  describe 'POST /hooks/:id' do
+    it "returns and trigger hook by id" do
+      post api("/hooks/#{hook.id}", admin)
+      expect(response).to have_gitlab_http_status(:created)
       expect(json_response['event_name']).to eq('project_create')
     end
 
     it "returns 404 on failure" do
-      get api("/hooks/404", admin)
+      post api("/hooks/404", admin)
       expect(response).to have_gitlab_http_status(:not_found)
     end
   end