Use the hashie-forbideen_attributes gem

This gem prevents Mash from responding to :permitted?, disabling mass
assignment protection for the Grape API

3 files changed, 11 insertions, 1 deletions

diff --git a/Gemfile b/Gemfile
index d4b2ade4243..ad8db206da6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -73,6 +73,9 @@ gem 'grape', '~> 0.19.0'
 gem 'grape-entity', '~> 0.6.0'
 gem 'rack-cors', '~> 0.4.0', require: 'rack/cors'
 
+# Disable strong_params so that Mash does not respond to :permitted?
+gem 'hashie-forbidden_attributes'
+
 # Pagination
 gem 'kaminari', '~> 0.17.0'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index d7e3f7343d0..bb91db1e805 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -346,6 +346,8 @@ GEM
       tilt
     hashdiff (0.3.2)
     hashie (3.5.5)
+    hashie-forbidden_attributes (0.1.1)
+      hashie (>= 3.0)
     health_check (2.6.0)
       rails (>= 4.0)
     hipchat (1.5.2)
@@ -915,6 +917,7 @@ DEPENDENCIES
   grape-entity (~> 0.6.0)
   haml_lint (~> 0.21.0)
   hamlit (~> 2.6.1)
+  hashie-forbidden_attributes
   health_check (~> 2.6.0)
   hipchat (~> 1.5.0)
   html-pipeline (~> 1.11.0)
@@ -1035,4 +1038,4 @@ DEPENDENCIES
   wikicloth (= 0.8.1)
 
 BUNDLED WITH
-   1.14.5
+   1.14.6
diff --git a/changelogs/unreleased/use-hashie-forbidden_attributes.yml b/changelogs/unreleased/use-hashie-forbidden_attributes.yml
new file mode 100644
index 00000000000..4f429b03a0d
--- /dev/null
+++ b/changelogs/unreleased/use-hashie-forbidden_attributes.yml
@@ -0,0 +1,4 @@
+---
+title: Add hashie-forbidden_attributes gem
+merge_request: 10579
+author: Andy Brown