diff --git a/app/services/polymorphic_object_finder.rb b/app/services/polymorphic_object_finder.rb
index 214cc5522c664d38d9d1c9167df6fad8a496f609..4e44c64589c417b78f88a2eef7248901745472d7 100644
--- a/app/services/polymorphic_object_finder.rb
+++ b/app/services/polymorphic_object_finder.rb
@@ -10,10 +10,22 @@ class PolymorphicObjectFinder
   def self.find(params, key:, university:, only: [])
     key_id = "#{key}_id".to_sym
     key_type = "#{key}_type".to_sym
-    model_name = only.any? ? only.detect { |item| item == params[key_type] } : params[key_type]
+    model_name = self.find_model_name(params, key_type, only)
     return if model_name.nil?
+
     model = model_name.constantize
     id = params[key_id]
     model.where(university: university).find(id)
   end
+
+  private
+
+  def self.find_model_name(params, key_type, only)
+    if only.any?
+      # Whitelist user input
+      only.detect { |item| item == params[key_type] }
+    else
+      params[key_type]
+    end
+  end
 end
\ No newline at end of file