Merge branch 'use_strong_params_for_refs_controller' into 'master'

Use strong_parameters for RefsController

See merge request gitlab-org/gitlab!79951

app/controllers/projects/refs_controller.rb

@@ -18,7 +18,7 @@ class Projects::RefsController < Projects::ApplicationController
     respond_to do |format|
       format.html do
         new_path =
-          case params[:destination]
+          case permitted_params[:destination]
           when "tree"
             project_tree_path(@project, @id)
           when "blob"
@@ -45,7 +45,7 @@ class Projects::RefsController < Projects::ApplicationController
   def logs_tree
     tree_summary = ::Gitlab::TreeSummary.new(
       @commit, @project, current_user,
-      path: @path, offset: params[:offset], limit: 25)
+      path: @path, offset: permitted_params[:offset], limit: 25)
 
     respond_to do |format|
       format.html { render_404 }
@@ -62,6 +62,10 @@ class Projects::RefsController < Projects::ApplicationController
   private
 
   def validate_ref_id
-    return not_found if params[:id].present? && params[:id] !~ Gitlab::PathRegex.git_reference_regex
+    return not_found if permitted_params[:id].present? && permitted_params[:id] !~ Gitlab::PathRegex.git_reference_regex
+  end
+
+  def permitted_params
+    params.permit(:id, :offset, :destination)
   end
 end

spec/controllers/projects/refs_controller_spec.rb

@@ -55,6 +55,15 @@ RSpec.describe Projects::RefsController do
       end
     end
 
+    context 'when offset has an invalid format' do
+      it 'renders JSON' do
+        xhr_get(:json, offset: { wrong: :format })
+
+        expect(response).to be_successful
+        expect(json_response).to be_kind_of(Array)
+      end
+    end
+
     context 'when json is requested' do
       it 'renders JSON' do
         expect(::Gitlab::GitalyClient).to receive(:allow_ref_name_caching).and_call_original