Move `skip_auth` from `params` to `#execute` (!70995) · Merge requests · GitLab.org / GitLab

Luke Duncalfe requested to merge 341464-issues-update-service-move-skip-authorization-param-to-execute into master Sep 22, 2021

What does this MR do and why?

Support for a skip_auth option was added to Issues::UpdateService in !64929 (merged) to allow that service to skip its authorization step.

The option was previously passed through alongside the regular issue attribute params. As the params often come from user-land, the risk is an exploitable situation where inadequately filtered params are passed to the service, allowing a user to skip the authorization.

Currently, in every instance of this service, we use strong params or forms thereof, so the exploit is not possible https://gitlab.com/gitlab-org/gitlab/-/issues/341464#audit-of-uses-of-issuesupdateservice.

However, we should avoid the possibility of the option being exploitable in future and move this option from the params hash to #execute. This is a method used in a number of services and finders.

#341464 (will become public when this MR is merged https://gitlab.com/gitlab-org/gitlab/-/issues/341464#note_683851060).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #341464

Edited Sep 22, 2021 by Luke Duncalfe

Move `skip_auth` from `params` to `#execute`

What does this MR do and why?

MR acceptance checklist

Merge request reports