Add a manual workaround for Kaminari security issue

The details are in the comments, but basically we can't upgrade to a more recent version of Kaminari because of an issue with the Elasticsearch Rails Gem. However, we can put in this workaround as suggested by the Kaminari devs.
alphagov · Dec 9, 2020 · da355e9 · da355e9
1 parent 39d7bc6
commit da355e9
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/config/initializers/kaminari_config.rb b/config/initializers/kaminari_config.rb
@@ -4,3 +4,12 @@
 
 Kaminari::Hooks.init if defined?(Kaminari::Hooks)
 Elasticsearch::Model::Response::Response.__send__ :include, Elasticsearch::Model::Response::Pagination::Kaminari
+
+# This is a workaround suggested by the Kaminari team to fix a security issue:
+#  https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
+#
+# Ideally we would upgrade to Kaminari 1.2, but we can't because:
+#  https://github.com/elastic/elasticsearch-rails/issues/966
+module Kaminari::Helpers
+  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
+end