set activerecord whitelist_attributes to true

app/models/event.rb

 class Event < ActiveRecord::Base
   include PushEvent
+  attr_accessible :project, :action, :data, :author_id, :project_id,
+                  :target_id, :target_type
+
   default_scope where("author_id IS NOT NULL")
   Created   = 1

app/models/issue.rb

@@ -2,6 +2,9 @@ class Issue < ActiveRecord::Base
   include IssueCommonality
   include Votes
+  attr_accessible :title, :assignee_id, :closed, :position, :description,
+                  :milestone_id, :label_list, :author_id_of_changes
+
   acts_as_taggable_on :labels
   belongs_to :milestone

app/models/key.rb

@@ -4,7 +4,7 @@ class Key < ActiveRecord::Base
   belongs_to :user
   belongs_to :project
-  attr_protected :user_id
+  attr_accessible :key, :title
   validates :title,
             presence: true,

app/models/merge_request.rb

@@ -4,6 +4,9 @@ class MergeRequest < ActiveRecord::Base
   include IssueCommonality
   include Votes
+  attr_accessible :title, :assignee_id, :closed, :target_branch, :source_branch,
+                  :author_id_of_changes
+
   BROKEN_DIFF = "--broken-diff"
   UNCHECKED = 1
@@ -48,7 +51,8 @@ class MergeRequest < ActiveRecord::Base
   end
   def mark_as_unchecked
-    self.update_attributes(state: UNCHECKED)
+    self.state = UNCHECKED
+    self.save
   end
   def can_be_merged?

app/models/milestone.rb

@@ -13,6 +13,8 @@
 #
 class Milestone < ActiveRecord::Base
+  attr_accessible :title, :description, :due_date, :closed
+
   belongs_to :project
   has_many :issues

app/models/note.rb

@@ -2,6 +2,9 @@ require 'carrierwave/orm/activerecord'
 require 'file_size_validator'
 class Note < ActiveRecord::Base
+  attr_accessible :note, :noteable, :noteable_id, :noteable_type, :project_id,
+                  :attachment, :line_code
+
   belongs_to :project
   belongs_to :noteable, polymorphic: true
   belongs_to :author,
@@ -16,7 +19,6 @@ class Note < ActiveRecord::Base
            to: :author,
            prefix: true
-  attr_protected :author, :author_id
   attr_accessor :notify
   attr_accessor :notify_author

app/models/project.rb

@@ -6,6 +6,9 @@ class Project < ActiveRecord::Base
   include Authority
   include Team
+  attr_accessible :name, :path, :description, :code, :default_branch, :issues_enabled,
+                  :wall_enabled, :merge_requests_enabled, :wiki_enabled
+
   #
   # Relations
   #
@@ -25,11 +28,6 @@ class Project < ActiveRecord::Base
   attr_accessor :error_code
-  #
-  # Protected attributes
-  #
-  attr_protected :private_flag, :owner_id
-
   #
   # Scopes
   #

app/models/protected_branch.rb

 class ProtectedBranch < ActiveRecord::Base
   include GitHost
+  attr_accessible :name
+
   belongs_to :project
   validates_presence_of :project_id
   validates_presence_of :name

app/models/snippet.rb

 class Snippet < ActiveRecord::Base
   include Linguist::BlobHelper
+  attr_accessible :title, :content, :file_name, :expires_at
+
   belongs_to :project
   belongs_to :author, class_name: "User"
   has_many :notes, as: :noteable, dependent: :destroy
@@ -9,7 +11,6 @@ class Snippet < ActiveRecord::Base
            :email,
            to: :author,
            prefix: true
-  attr_protected :author, :author_id, :project, :project_id
   validates_presence_of :project_id
   validates_presence_of :author_id
@@ -46,11 +47,11 @@ class Snippet < ActiveRecord::Base
     0
   end
-  def name 
+  def name
     file_name
   end
-  def mode 
+  def mode
     nil
   end

app/models/users_project.rb

@@ -6,11 +6,11 @@ class UsersProject < ActiveRecord::Base
   DEVELOPER = 30
   MASTER    = 40
+  attr_accessible :user, :user_id, :project_access
+
   belongs_to :user
   belongs_to :project
-  attr_protected :project_id, :project
-
   after_save :update_repository
   after_destroy :update_repository

app/models/web_hook.rb

 class WebHook < ActiveRecord::Base
   include HTTParty
+  attr_accessible :url
+
   # HTTParty timeout
   default_timeout 10
@@ -18,11 +20,11 @@ class WebHook < ActiveRecord::Base
       post_url = url.gsub(parsed_url.userinfo+"@", "")
       WebHook.post(post_url,
                    body: data.to_json,
-                   headers: { "Content-Type" => "application/json" }, 
+                   headers: { "Content-Type" => "application/json" },
                    basic_auth: {username: parsed_url.user, password: parsed_url.password})
     end
   end
-  
+
 end
 # == Schema Information
 #

app/models/wiki.rb

 class Wiki < ActiveRecord::Base
+  attr_accessible :title, :content, :slug
+
   belongs_to :project
   belongs_to :user
   has_many :notes, as: :noteable, dependent: :destroy

app/roles/issue_commonality.rb

@@ -3,8 +3,6 @@ module IssueCommonality
   extend ActiveSupport::Concern
   included do
-    attr_protected :author, :author_id, :project, :project_id
-
     belongs_to :project
     belongs_to :author, class_name: "User"
     belongs_to :assignee, class_name: "User"

config/application.rb

@@ -39,6 +39,12 @@ module Gitlab
     # Configure sensitive parameters which will be filtered from the log file.
     config.filter_parameters += [:password]
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    config.active_record.whitelist_attributes = true
+
     # Enable the asset pipeline
     config.assets.enabled = true

config/environments/development.rb

@@ -33,7 +33,7 @@ Gitlab::Application.configure do
   # Raise exception on mass assignment protection for Active Record models
   config.active_record.mass_assignment_sanitizer = :strict
-    
+
   # Log the query plan for queries taking more than this (works
   # with SQLite, MySQL, and PostgreSQL)
   config.active_record.auto_explain_threshold_in_seconds = 0.5

config/environments/test.rb

@@ -34,6 +34,9 @@ Gitlab::Application.configure do
   # like if you have constraints or database-specific column types
   # config.active_record.schema_format = :sql
+  # Raise exception on mass assignment protection for Active Record models
+  # config.active_record.mass_assignment_sanitizer = :strict
+
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr

spec/models/issue_spec.rb

@@ -5,6 +5,11 @@ describe Issue do
     it { should belong_to(:milestone) }
   end
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author_id) }
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     it { should ensure_length_of(:description).is_within(0..2000) }
     it { should ensure_inclusion_of(:closed).in_array([true, false]) }

spec/models/key_spec.rb

@@ -6,6 +6,11 @@ describe Key do
     it { should belong_to(:project) }
   end
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+    it { should_not allow_mass_assignment_of(:user_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:title) }
     it { should validate_presence_of(:key) }

spec/models/merge_request_spec.rb

@@ -6,6 +6,11 @@ describe MergeRequest do
     it { should validate_presence_of(:source_branch) }
   end
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:author_id) }
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe 'modules' do
     it { should include_module(IssueCommonality) }
     it { should include_module(Votes) }

spec/models/milestone_spec.rb

@@ -6,6 +6,10 @@ describe Milestone do
     it { should have_many(:issues) }
   end
+  describe "Mass assignment" do
+    it { should_not allow_mass_assignment_of(:project_id) }
+  end
+
   describe "Validation" do
     it { should validate_presence_of(:title) }
     it { should validate_presence_of(:project_id) }