Add Rubocop rule to enforce `declared_params` usage in Grape API

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem

There are many API endpoints where we use params directly instead of declared_params. It's not safe and allows to ignore Grape validations from allowed params list.

Suggestion

Add a Rubocop rule to enforce declared_params usage. That will make sure that we process only explicitly declared params and don't accept arbitrary user input.

# Before

if params.key?(:private_profile) && params[:private_profile].nil?
  params[:private_profile] = Gitlab::CurrentSettings.user_defaults_to_private_profile
end

# After

user_params = declared_params(include_missing: false)

if user_params.key?(:private_profile) && user_params[:private_profile].nil?
  user_params[:private_profile] = Gitlab::CurrentSettings.user_defaults_to_private_profile
end

Edited Sep 22, 2025 by 🤖 GitLab Bot 🤖

Add Rubocop rule to enforce declared_params usage in Grape API

Problem

Suggestion

Add Rubocop rule to enforce `declared_params` usage in Grape API