Merge branch 'security-bvl-validate-force-remove-branch-on-mrs-ce' into 'master'

Only assign merge params when allowed See merge request gitlab/gitlabhq!3458
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-29 18:58:12 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-10-29 18:58:12 +0300
commit: a0043682b500ce39ff4eba00e8c1cecc64819ea1 (patch)
tree: 9c0f3d058052f42075ebbee9ae827023829efeec /app/models
parent: af84dec405c3f8d13220ee3f98eb4b2f0276a93d (diff)
parent: 20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index cd8ede3905a..67f666a89b2 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -69,6 +69,14 @@ class MergeRequest < ApplicationRecord
   has_many :merge_request_assignees
   has_many :assignees, class_name: "User", through: :merge_request_assignees
 
+  KNOWN_MERGE_PARAMS = [
+    :auto_merge_strategy,
+    :should_remove_source_branch,
+    :force_remove_source_branch,
+    :commit_message,
+    :squash_commit_message,
+    :sha
+  ].freeze
   serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize
 
   after_create :ensure_merge_request_diff
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-29 18:58:12 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-10-29 18:58:12 +0300
commit	a0043682b500ce39ff4eba00e8c1cecc64819ea1 (patch)
tree	9c0f3d058052f42075ebbee9ae827023829efeec /app/models
parent	af84dec405c3f8d13220ee3f98eb4b2f0276a93d (diff)
parent	20cb4f7ab567062fd67ccd40cd29ff1d2e85d8f0 (diff)