Merge branch '477182-dependency-proxy-strong-params' into 'master'

Update dependency proxy controllers to use StrongParams See merge request !163384 Merged-by: Radamanthus Batnag <rbatnag@gitlab.com> Approved-by: Dzmitry (Dima) Meshcharakou <12459192-dmeshcharakou@users.noreply.gitlab.com> Approved-by: Radamanthus Batnag <rbatnag@gitlab.com> Co-authored-by: Pankaj Ahuja <ray.pankaj@gmail.com>

Merge branch '477182-dependency-proxy-strong-params' into 'master'
a7827f9b · Radamanthus Batnag · GitLab · 7c77c8f1 · 58cbfabb · a7827f9b
Verified Commit a7827f9b authored 5 months ago by Radamanthus Batnag Committed by GitLab 5 months ago
--- a/.rubocop_todo/rails/strong_params.yml
+++ b/.rubocop_todo/rails/strong_params.yml
@@ -67,8 +67,6 @@ Rails/StrongParams:
    - 'app/controllers/groups/boards_controller.rb'
    - 'app/controllers/groups/children_controller.rb'
    - 'app/controllers/groups/clusters_controller.rb'
-    - 'app/controllers/groups/dependency_proxy/application_controller.rb'
-    - 'app/controllers/groups/dependency_proxy_for_containers_controller.rb'
    - 'app/controllers/groups/deploy_tokens_controller.rb'
    - 'app/controllers/groups/group_links_controller.rb'
    - 'app/controllers/groups/group_members_controller.rb'

--- a/app/controllers/groups/dependency_proxy_for_containers_controller.rb
+++ b/app/controllers/groups/dependency_proxy_for_containers_controller.rb
@@ -19,6 +19,8 @@ class Groups::DependencyProxyForContainersController < ::Groups::DependencyProxy
  feature_category :virtual_registry
  urgency :low
+  PERMITTED_PARAMS = [:image, :tag, :file, :sha, :group_id].freeze
  def manifest
    result = DependencyProxy::FindCachedManifestService.new(group, image, tag, token).execute
@@ -42,7 +44,7 @@ def blob
      send_upload(blob.file)
    else
-      send_dependency(token_header, DependencyProxy::Registry.blob_url(image, params[:sha]), blob_file_name)
+      send_dependency(token_header, DependencyProxy::Registry.blob_url(image, permitted_params[:sha]), blob_file_name)
    end
  end
@@ -55,8 +57,8 @@ def authorize_upload_blob
  def upload_blob
    @group.dependency_proxy_blobs.create!(
      file_name: blob_file_name,
-      file: params[:file],
+      file: permitted_params[:file],
-      size: params[:file].size
+      size: permitted_params[:file].size
    )
    event_name = tracking_event_name(object_type: :blob, from_cache: false)
@@ -76,8 +78,8 @@ def upload_manifest
      file_name: manifest_file_name,
      content_type: request.headers[Gitlab::Workhorse::SEND_DEPENDENCY_CONTENT_TYPE_HEADER],
      digest: request.headers[DependencyProxy::Manifest::DIGEST_HEADER],
-      file: params[:file],
+      file: permitted_params[:file],
-      size: params[:file].size
+      size: permitted_params[:file].size
    }
    manifest = @group.dependency_proxy_manifests
@@ -99,7 +101,7 @@ def upload_manifest
  private
  def group
-    Group.find_by_full_path(params[:group_id], follow_redirects: true)
+    Group.find_by_full_path(permitted_params[:group_id], follow_redirects: true)
  end
  strong_memoize_attr :group
@@ -122,7 +124,7 @@ def send_manifest(manifest, from_cache:)
  end
  def blob_file_name
-    @blob_file_name ||= "#{params[:sha].sub('sha256:', '')}.gz"
+    @blob_file_name ||= "#{permitted_params[:sha].sub('sha256:', '')}.gz"
  end
  def manifest_file_name
@@ -130,11 +132,15 @@ def manifest_file_name
  end
  def image
-    params[:image]
+    permitted_params[:image]
  end
  def tag
-    params[:tag]
+    permitted_params[:tag]
+  end
+  def permitted_params
+    params.permit(PERMITTED_PARAMS)
  end
  def tracking_event_name(object_type:, from_cache:)