Merge pull request #1567 from NARKOZ/mass-assignment

set activerecord whitelist_attributes to true [2]

app/models/event.rb

@@ -1,6 +1,9 @@
 class Event < ActiveRecord::Base
   include PushEvent
 
+  attr_accessible :project, :action, :data, :author_id, :project_id,
+                  :target_id, :target_type
+
   default_scope where("author_id IS NOT NULL")
 
   Created   = 1

app/models/issue.rb

@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
   include IssueCommonality
   include Votes
 
+  attr_accessible :title, :assignee_id, :closed, :position, :description,
+                  :milestone_id, :label_list, :author_id_of_changes
+
   acts_as_taggable_on :labels
 
   belongs_to :milestone

app/models/key.rb

@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
   belongs_to :user
   belongs_to :project
 
-  attr_protected :user_id
+  attr_accessible :key, :title
 
   validates :title,
             presence: true,

app/models/merge_request.rb

@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
   include IssueCommonality
   include Votes
 
+  attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
+                  :author_id_of_changes
+
   BROKEN_DIFF = "--broken-diff"
 
   UNCHECKED = 1
@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
   end
 
   def mark_as_unchecked
-    self.update_attributes(state: UNCHECKED)
+    self.state = UNCHECKED
+    self.save
   end
 
   def can_be_merged?

app/models/milestone.rb

@@ -13,6 +13,8 @@
 #
 
 class Milestone < ActiveRecord::Base
+  attr_accessible :title, :description, :due_date, :closed
+
   belongs_to :project
   has_many :issues
 

app/models/note.rb

@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
 require 'file_size_validator'
 
 class Note < ActiveRecord::Base
+  attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
+                  :attachment, :line_code
+
   belongs_to :project
   belongs_to :noteable, polymorphic: true
   belongs_to :author,
@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
            to: :author,
            prefix: true
 
-  attr_protected :author, :author_id
   attr_accessor :notify
   attr_accessor :notify_author
 

app/models/project.rb

@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
   include Authority
   include Team
 
+  attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
+                  :wall_enabled, :merge_requests_enabled, :wiki_enabled
+
   #
   # Relations
   #
@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
 
   attr_accessor :error_code
 
-  #
-  # Protected attributes
-  #
-  attr_protected :private_flag, :owner_id
-
   #
   # Scopes
   #

app/models/protected_branch.rb

@@ -1,6 +1,8 @@
 class ProtectedBranch < ActiveRecord::Base
   include GitHost
 
+  attr_accessible :name
+
   belongs_to :project
   validates_presence_of :project_id
   validates_presence_of :name

app/models/snippet.rb

@@ -1,6 +1,8 @@
 class Snippet < ActiveRecord::Base
   include Linguist::BlobHelper
 
+  attr_accessible :title, :content, :file_name, :expires_at
+
   belongs_to :project
   belongs_to :author, class_name: "User"
   has_many :notes, as: :noteable, dependent: :destroy
@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
            :email,
            to: :author,
            prefix: true
-  attr_protected :author, :author_id, :project, :project_id
 
   validates_presence_of :project_id
   validates_presence_of :author_id
@@ -46,11 +47,11 @@ class Snippet < ActiveRecord::Base
     0
   end
 
-  def name 
+  def name
     file_name
   end
 
-  def mode 
+  def mode
     nil
   end
 

app/models/users_project.rb

@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
   DEVELOPER = 30
   MASTER    = 40
 
+  attr_accessible :user, :user_id, :project_access
+
   belongs_to :user
   belongs_to :project
 
-  attr_protected :project_id, :project
-
   after_save :update_repository
   after_destroy :update_repository
 

app/models/web_hook.rb

@@ -1,6 +1,8 @@
 class WebHook < ActiveRecord::Base
   include HTTParty
 
+  attr_accessible :url
+
   # HTTParty timeout
   default_timeout 10
 
@@ -18,11 +20,11 @@ class WebHook < ActiveRecord::Base
       post_url = url.gsub(parsed_url.userinfo+"@", "")
       WebHook.post(post_url,
                    body: data.to_json,
-                   headers: { "Content-Type" => "application/json" }, 
+                   headers: { "Content-Type" => "application/json" },
                    basic_auth: {username: parsed_url.user, password: parsed_url.password})
     end
   end
-  
+
 end
 # == Schema Information
 #

app/models/wiki.rb

@@ -1,4 +1,6 @@
 class Wiki < ActiveRecord::Base
+  attr_accessible :title, :content, :slug
+
   belongs_to :project
   belongs_to :user
   has_many :notes, as: :noteable, dependent: :destroy

app/roles/issue_commonality.rb

@@ -3,8 +3,6 @@ module IssueCommonality
   extend ActiveSupport::Concern
 
   included do
-    attr_protected :author, :author_id, :project, :project_id
-
     belongs_to :project
     belongs_to :author, class_name: "User"
     belongs_to :assignee, class_name: "User"

config/application.rb

@@ -39,6 +39,12 @@ module Gitlab
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
 
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    config.active_record.whitelist_attributes = true
+
     # Enable the asset pipeline
     config.assets.enabled = true
 

config/environments/development.rb

@@ -33,7 +33,7 @@ Gitlab::Application.configure do
 
   # Raise exception on mass assignment protection for Active Record models
   config.active_record.mass_assignment_sanitizer = :strict
-    
+
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL)
   config.active_record.auto_explain_threshold_in_seconds = 0.5

config/environments/test.rb

@@ -34,6 +34,9 @@ Gitlab::Application.configure do
   # like if you have constraints or database-specific column types
   # config.active_record.schema_format = :sql
 
+  # Raise exception on mass assignment protection for Active Record models
+  # config.active_record.mass_assignment_sanitizer = :strict
+
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
 

lib/gitlab/auth.rb

@@ -30,7 +30,7 @@ module Gitlab
       log.info "#{ldap_prefix}Creating user from #{provider} login"\
         " {uid => #{uid}, name => #{name}, email => #{email}}"
       password = Devise.friendly_token[0, 8].downcase
-      @user = User.new(
+      @user = User.new({
         extern_uid: uid,
         provider: provider,
         name: name,
@@ -38,7 +38,7 @@ module Gitlab
         password: password,
         password_confirmation: password,
         projects_limit: Gitlab.config.default_projects_limit,
-      )
+      }, as: :admin)
       if Gitlab.config.omniauth['block_auto_created_users'] && !ldap
         @user.blocked = true
       end

spec/models/issue_spec.rb

@@ -5,6 +5,11 @@ describe Issue do
     it { should belong_to(:milestone) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author_id) }
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     it { should ensure_length_of(:description).is_within(0..2000) }
     it { should ensure_inclusion_of(:closed).in_array([true, false]) }

spec/models/key_spec.rb

@@ -6,6 +6,11 @@ describe Key do
     it { should belong_to(:project) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+    it { should_not allow_mass_assignment_of(:user_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:title) }
     it { should validate_presence_of(:key) }

spec/models/merge_request_spec.rb

@@ -6,6 +6,11 @@ describe MergeRequest do
     it { should validate_presence_of(:source_branch) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author_id) }
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe 'modules' do
     it { should include_module(IssueCommonality) }
     it { should include_module(Votes) }

spec/models/milestone_spec.rb

@@ -6,6 +6,10 @@ describe Milestone do
     it { should have_many(:issues) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:title) }
     it { should validate_presence_of(:project_id) }

spec/models/note_spec.rb

@@ -7,6 +7,11 @@ describe Note do
     it { should belong_to(:author).class_name('User') }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author) }
+    it { should_not allow_mass_assignment_of(:author_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:note) }
     it { should validate_presence_of(:project) }

spec/models/project_spec.rb

@@ -17,6 +17,11 @@ describe Project do
     it { should have_many(:protected_branches).dependent(:destroy) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:owner_id) }
+    it { should_not allow_mass_assignment_of(:private_flag) }
+  end
+
   describe "Validation" do
     let!(:project) { create(:project) }
 

spec/models/protected_branch_spec.rb

@@ -5,6 +5,10 @@ describe ProtectedBranch do
     it { should belong_to(:project) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe 'Validation' do
     it { should validate_presence_of(:project_id) }
     it { should validate_presence_of(:name) }

spec/models/snippet_spec.rb

@@ -7,6 +7,11 @@ describe Snippet do
     it { should have_many(:notes).dependent(:destroy) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author_id) }
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:author_id) }
     it { should validate_presence_of(:project_id) }

spec/models/user_spec.rb

@@ -15,6 +15,11 @@ describe User do
     it { should have_many(:assigned_merge_requests).dependent(:destroy) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:projects_limit) }
+    it { should allow_mass_assignment_of(:projects_limit).as(:admin) }
+  end
+
   describe 'validations' do
     it { should validate_presence_of(:projects_limit) }
     it { should validate_numericality_of(:projects_limit) }
@@ -73,30 +78,4 @@ describe User do
       user.authentication_token.should_not be_blank
     end
   end
-
-  describe "attributes can be changed by a regular user" do
-    before do
-      @user = Factory :user
-      @user.update_attributes(skype: "testskype", linkedin: "testlinkedin")
-    end
-    it { @user.skype.should == 'testskype' }
-    it { @user.linkedin.should == 'testlinkedin' }
-  end
-
-  describe "attributes that shouldn't be changed by a regular user" do
-    before do
-      @user = Factory :user
-      @user.update_attributes(projects_limit: 50)
-    end
-    it { @user.projects_limit.should_not == 50 }
-  end
-
-  describe "attributes can be changed by an admin user" do
-    before do
-      @admin_user = Factory :admin
-      @admin_user.update_attributes({ skype: "testskype", projects_limit: 50 }, as: :admin)
-    end
-    it { @admin_user.skype.should == 'testskype' }
-    it { @admin_user.projects_limit.should == 50 }
-  end
 end

spec/models/users_project_spec.rb

@@ -6,6 +6,10 @@ describe UsersProject do
     it { should belong_to(:user) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     let!(:users_project) { create(:users_project) }
 

spec/models/web_hook_spec.rb

@@ -5,6 +5,10 @@ describe ProjectHook do
     it { should belong_to :project }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validations" do
     it { should validate_presence_of(:url) }
 

spec/models/wiki_spec.rb

@@ -7,6 +7,11 @@ describe Wiki do
     it { should have_many(:notes).dependent(:destroy) }
   end
 
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+    it { should_not allow_mass_assignment_of(:user_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:title) }
     it { should ensure_length_of(:title).is_within(1..250) }