Use strong_parameters for ForksController#index

Sentry errors: * https://sentry.gitlab.net/gitlab/gitlabcom/issues/3152530 * https://sentry.gitlab.net/gitlab/gitlabcom/issues/3172939 Sanitize input query parameters for ForksController#index Changelog: fixed

Use strong_parameters for ForksController#index
Sentry errors: * https://sentry.gitlab.net/gitlab/gitlabcom/issues/3152530 * https://sentry.gitlab.net/gitlab/gitlabcom/issues/3172939 Sanitize input query parameters for ForksController#index Changelog: fixed
824dce63 · Vasilii Iakliushin · 63a7d839 · 824dce63 · 824dce63
Commit 824dce63 authored Jan 30, 2022 by Vasilii Iakliushin
Showing with 19 additions and 3 deletions

app/controllers/projects/forks_controller.rb app/controllers/projects/forks_controller.rb +7 -3

spec/controllers/projects/forks_controller_spec.rb spec/controllers/projects/forks_controller_spec.rb +12 -0

No files found.
--- a/app/controllers/projects/forks_controller.rb
+++ b/app/controllers/projects/forks_controller.rb
@@ -22,14 +22,14 @@ class Projects::ForksController < Projects::ApplicationController
  end

  def index
-    @sort = params[:sort]
+    @sort = forks_params[:sort]

    @total_forks_count    = project.forks.size
    @public_forks_count   = project.forks.public_only.size
    @private_forks_count  = @total_forks_count - project.forks.public_and_internal_only.size
    @internal_forks_count = @total_forks_count - @public_forks_count - @private_forks_count

-    @forks = load_forks.page(params[:page])
+    @forks = load_forks.page(forks_params[:page])

    prepare_projects_for_rendering(@forks)

@@ -98,7 +98,7 @@ class Projects::ForksController < Projects::ApplicationController
  def load_forks
    forks = ForkProjectsFinder.new(
      project,
-      params: params.merge(search: params[:filter_projects]),
+      params: forks_params.merge(search: forks_params[:filter_projects]),
      current_user: current_user
    ).execute

@@ -117,6 +117,10 @@ class Projects::ForksController < Projects::ApplicationController
    end
  end

+  def forks_params
+    params.permit(:filter_projects, :sort, :page)
+  end
+
  def fork_params
    params.permit(:path, :name, :description, :visibility).tap do |param|
      param[:namespace] = fork_namespace

--- a/spec/controllers/projects/forks_controller_spec.rb
+++ b/spec/controllers/projects/forks_controller_spec.rb
@@ -67,6 +67,18 @@ RSpec.describe Projects::ForksController do
          expect(assigns[:private_forks_count]).to eq(0)
        end
      end
+
+      context 'when unsupported keys are provided' do
+        it 'ignores them' do
+          get :index, params: {
+            namespace_id: project.namespace,
+            project_id: project,
+            user: 'unsupported'
+          }
+
+          expect(assigns[:forks]).to be_present
+        end
+      end
    end

    context 'when fork is internal' do