Explicitly check for permitted parameters

This increases the security of chatops endpoins by only allowing
permitted parameters to be passed. It goes further and validates the
JSON RPC params are also explicitly named in the regular expression
matchers as well.

Author: TwP

lib/chatops/controller.rb

@@ -27,6 +27,8 @@ def list
     end
 
     def process(*args)
+      setup_params
+
       if params[:chatop].present?
         params[:action] = params[:chatop]
         args[0] = params[:action]
@@ -47,6 +49,33 @@ def execute_chatop
 
     protected
 
+    def setup_params
+      permitted_params = %i[
+        action
+        chatop
+        controller
+        mention_slug
+        method
+        room_id
+        user
+      ]
+
+      chatop_name =
+        if params[:chatop].present?
+          params[:chatop].to_sym
+        elsif params[:action].present?
+          params[:action].to_sym
+        else
+          nil
+        end
+
+      if chatop = self.class.chatops[chatop_name]
+        permitted_params << { params: chatop[:params] }
+      end
+
+      self.params = params.permit(*permitted_params)
+    end
+
     def jsonrpc_params
       params["params"] || {}
     end