[Rails5] Use `safe_params` instead of `params` in `url_for` helpers

This commits replaces `params` with `safe_params` in `url_for` helpers to resolve security issues [1] and failing specs with the ``` ArgumentError: Attempting to generate a URL from non-sanitized request parameters! An attacker can inject malicious data into the generated URL, such as changing the host. Whitelist and sanitize passed parameters to be secure. ``` error. [1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168

[Rails5] Use `safe_params` instead of `params` in `url_for` helpers
350e26b8 · blackst0ne · ee189fd5 · 350e26b8 · 350e26b8 · 350e26b8
Commit 350e26b8 authored Apr 28, 2018 by blackst0ne
5 changed files
--- a/app/controllers/concerns/issuable_collections.rb
+++ b/app/controllers/concerns/issuable_collections.rb
@@ -57,7 +57,7 @@ module IssuableCollections
    out_of_range = @issuables.current_page > total_pages # rubocop:disable Gitlab/ModuleWithInstanceVariables

    if out_of_range
-      redirect_to(url_for(params.merge(page: total_pages, only_path: true)))
+      redirect_to(url_for(safe_params.merge(page: total_pages, only_path: true)))
    end

    out_of_range

--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -33,6 +33,6 @@ class Groups::ApplicationController < ApplicationController
  def build_canonical_path(group)
    params[:group_id] = group.to_param

-    url_for(params)
+    url_for(safe_params)
  end
 end
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -25,7 +25,7 @@ class Projects::ApplicationController < ApplicationController
    params[:namespace_id] = project.namespace.to_param
    params[:project_id] = project.to_param

-    url_for(params)
+    url_for(safe_params)
  end

  def repository

--- a/app/views/peek/_bar.html.haml
+++ b/app/views/peek/_bar.html.haml
@@ -3,5 +3,5 @@
 #js-peek{ data: { env: Peek.env,
         request_id: Peek.request_id,
         peek_url: peek_routes.results_url,
-         profile_url: url_for(params.merge(lineprofiler: 'true')) },
+         profile_url: url_for(safe_params.merge(lineprofiler: 'true')) },
         class: Peek.env }
--- a/app/views/projects/diffs/_diffs.html.haml
+++ b/app/views/projects/diffs/_diffs.html.haml
@@ -8,7 +8,7 @@
  .files-changed-inner
    .inline-parallel-buttons.hidden-xs.hidden-sm
      - if !diffs_expanded? && diff_files.any? { |diff_file| diff_file.collapsed? }
-        = link_to 'Expand all', url_for(params.merge(expanded: 1, format: nil)), class: 'btn btn-default'
+        = link_to 'Expand all', url_for(safe_params.merge(expanded: 1, format: nil)), class: 'btn btn-default'
      - if show_whitespace_toggle
        - if current_controller?(:commit)
          = commit_diff_whitespace_link(diffs.project, @commit, class: 'hidden-xs')