<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=413424) </details> <!--IssueSummary end--> ### Problem There are many API endpoints where we use `params` directly instead of [`declared_params`](https://gitlab.com/gitlab-org/gitlab/-/blob/57af761c4408f0b8b0a327352de78af20cb4c5e0/lib/api/helpers.rb#L23-26). It's not safe and allows to ignore Grape validations from allowed params list. ### Suggestion Add a Rubocop rule to enforce `declared_params` usage. That will make sure that we process only explicitly declared params and don't accept arbitrary user input. ```ruby # Before if params.key?(:private_profile) && params[:private_profile].nil? params[:private_profile] = Gitlab::CurrentSettings.user_defaults_to_private_profile end # After user_params = declared_params(include_missing: false) if user_params.key?(:private_profile) && user_params[:private_profile].nil? user_params[:private_profile] = Gitlab::CurrentSettings.user_defaults_to_private_profile end ```