Pull in `hashie-forbidden_attributes` in our codebase

Drop dependency, add this monkey patch to GitLab, log its usage.

Pull in `hashie-forbidden_attributes` in our codebase
4764ec33 · Aleksei Lipniagov · 093cc1ed · 4764ec33 · 4764ec33 · 4764ec33
Commit 4764ec33 authored 2 years ago by Aleksei Lipniagov
--- a/Gemfile
+++ b/Gemfile
@@ -130,8 +130,6 @@ gem 'graphql-docs', '~> 2.1.0', group: [:development, :test]
 gem 'graphlient', '~> 0.5.0' # Used by BulkImport feature (group::import)

 gem 'hashie', '~> 5.0.0'
-# Disable strong_params so that Mash does not respond to :permitted?
-gem 'hashie-forbidden_attributes'

 # Pagination
 gem 'kaminari', '~> 1.2.2'

--- a/Gemfile.checksum
+++ b/Gemfile.checksum
@@ -260,7 +260,6 @@
 {"name":"hangouts-chat","version":"0.0.5","platform":"ruby","checksum":"bdbeb6c6e4abc98f395cb273f53b39911b3aa9e248fbbf063242b021ced8b6b6"},
 {"name":"hashdiff","version":"1.0.1","platform":"ruby","checksum":"2cd4d04f5080314ecc8403c4e2e00dbaa282dff395e2d031bc16c8d501bdd6db"},
 {"name":"hashie","version":"5.0.0","platform":"ruby","checksum":"9d6c4e51f2a36d4616cbc8a322d619a162d8f42815a792596039fc95595603da"},
-{"name":"hashie-forbidden_attributes","version":"0.1.1","platform":"ruby","checksum":"3a6ed37f3a314e4fb1dd1e2df6eb7721bcadd023a30bc0b951b2b5285a790fb2"},
 {"name":"health_check","version":"3.1.0","platform":"ruby","checksum":"10146508237dc54ed7e24c292d8ba7fb8f9590cf26c66e325b947438c4103b57"},
 {"name":"heapy","version":"0.2.0","platform":"ruby","checksum":"74141e845d61ffc7c1e8bf8b127c8cf94544ec7a1181aec613288682543585ea"},
 {"name":"html-pipeline","version":"2.13.2","platform":"ruby","checksum":"a1de83f7bd2d3464f3a068e391b661983fc6099d194c8d9ceb91ace02dadb803"},

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -710,8 +710,6 @@ GEM
    hangouts-chat (0.0.5)
    hashdiff (1.0.1)
    hashie (5.0.0)
-    hashie-forbidden_attributes (0.1.1)
-      hashie (>= 3.0)
    health_check (3.1.0)
      railties (>= 5.0)
    heapy (0.2.0)
@@ -1664,7 +1662,6 @@ DEPENDENCIES
  hamlit (~> 2.15.0)
  hangouts-chat (~> 0.0.5)
  hashie (~> 5.0.0)
-  hashie-forbidden_attributes
  health_check (~> 3.0)
  html-pipeline (~> 2.13.2)
  html2text

--- a/config/initializers/hashie_mash_permitted_patch.rb
+++ b/config/initializers/hashie_mash_permitted_patch.rb
+# frozen_string_literal: true
+
+# Pulls logic from https://github.com/Maxim-Filimonov/hashie-forbidden_attributes so we could drop the dependency.
+# This gem is simply `Hashie::Mash` monkey patch to allow mass assignment bypassing `:permitted?` check.
+#
+# Reasons:
+# 1. The gem was last updated 5 years ago and does not have CI setup to test under the latest Ruby/Rails.
+# 2. There is a significant chance this logic is not used at all.
+# We didn't find any explicit places in the code where we mass-assign to `Hashie::Mash`.
+# Experimental MR where we dropped the gem showed that no tests from the full suite failed:
+# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/101535
+# 3. The logic is very simple. Even if we need it, keeping it in our codebase is better than pulling a dependency.
+# This logic will be visible and it will be one less gem to install.
+#
+# Next steps:
+# 1. Keep the patch for at least one milestone in our codebase. Log its usage.
+# 2. After that, check if there were any related log events.
+# 3. If no usages were tracked, we could drop the patch (delete this file).
+# 4. Otherwise, audit where and why we need it, and add a comment to that place.
+#
+# See discussion https://gitlab.com/gitlab-org/gitlab/-/issues/378398#note_1143133426
+
+require 'hashie/mash'
+
+module Hashie
+  class Mash
+    module MonkeyPatch
+      def respond_to_missing?(method_name, *args)
+        if method_name == :permitted?
+          Gitlab::AppLogger.info(message: 'Hashie::Mash#respond_to?(:permitted?)',
+                                 caller: Gitlab::BacktraceCleaner.clean_backtrace(caller))
+
+          return false
+        end
+
+        super
+      end
+
+      def method_missing(method_name, *args)
+        if method_name == :permitted?
+          Gitlab::AppLogger.info(message: 'Hashie::Mash#permitted?',
+                                 caller: Gitlab::BacktraceCleaner.clean_backtrace(caller))
+
+          raise ArgumentError
+        end
+
+        super
+      end
+    end
+
+    prepend MonkeyPatch
+  end
+end
--- a/spec/initializers/hashie_mash_permitted_patch_spec.rb
+++ b/spec/initializers/hashie_mash_permitted_patch_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Hashie::Mash#permitted patch' do
+  let(:mash) { Hashie::Mash.new }
+
+  before do
+    load Rails.root.join('config/initializers/hashie_mash_permitted_patch.rb')
+  end
+
+  describe '#respond_to? with :permitted?' do
+    it 'returns false' do
+      expect(Gitlab::AppLogger).to receive(:info).with(
+        { message: 'Hashie::Mash#respond_to?(:permitted?)', caller: instance_of(Array) })
+
+      expect(mash.respond_to?(:permitted?)).to be false
+    end
+  end
+
+  describe '#permitted' do
+    it 'raises ArgumentError' do
+      expect(Gitlab::AppLogger).to receive(:info).with(
+        { message: 'Hashie::Mash#permitted?', caller: instance_of(Array) })
+
+      expect { mash.permitted? }.to raise_error(ArgumentError)
+    end
+  end
+end