Geo Primary Verification API: Implement secure attribute exposure mechanism for addl_info field

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Why are we doing this work

This work is a follow-up to #537707 (closed) and addresses security concerns raised in !197917 (comment 2641508252).

Currently, the Primary Verification API's addl_info field exposes all model attributes without any filtering mechanism. This poses potential security risks as it could inadvertently expose sensitive information that should not be accessible through the API.

As noted in the MR review:

"I'm not sure how good an idea it is to expose an endpoint that returns data about all our entities, and that too that exposes all the attributes."

We need to implement a secure mechanism that allows models to explicitly define which attributes are safe to expose through the API, rather than exposing everything by default.

What is needed in this change

We need to implement a secure attribute exposure mechanism that:

1. Prevents accidental exposure of sensitive data - Only explicitly allowed attributes should be included in addl_info
2. Provides model-level control - Each model should be able to define its own set of exposable attributes
3. Defaults to secure behavior - If no attributes are explicitly defined, addl_info should be empty rather than exposing everything
4. Maintains backward compatibility - The API response structure should remain the same

Implementation approaches

Approach 1

Based on the discussion in the MR, we should implement a concern-based approach:

1. Create a new concern DataManagement::ExposableAttributes that:

   • Defines a class attribute exposable_attributes with an empty array as default
   • Provides methods to safely retrieve only the allowed attributes

2. Update model extensions to include the concern and define safe attributes:

   module EE
     module SnippetRepository
       extend ActiveSupport::Concern
   
       prepended do
         include ::DataManagement::ExposableAttributes
         self.exposable_attributes = [:disk_path, :shard_id]
       end
     end
   end

3. Update the API Entity to only expose attributes defined in exposable_attributes:

   • If exposable_attributes is empty, addl_info should be an empty array
   • Only include attributes that are explicitly listed in the model's exposable_attributes

Approach 2

Another idea could be to leverage existing entities, like the project entity or merge request diff entity.

Adding them programmatically to the Model entity depending on the class of the model variable.

Implementation plan

TBD depending on approach chosen.

Related issues

• Parent issue: #537707 (closed)
• Related MR: !197917 (merged)