Skip to content
Snippets Groups Projects
Unverified Commit d35ee8de authored by Sébastien Gaya's avatar Sébastien Gaya
Browse files

force whitelist

parent a3aeb727
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/services/polymorphic_object_finder.rb
+ 6
8
View file @ d35ee8de
......@@ -10,7 +10,7 @@ class PolymorphicObjectFinder
def self.find(params, key:, university:, only: [])
key_id = "#{key}_id".to_sym
key_type = "#{key}_type".to_sym
model_name = self.find_model_name(params, key_type, only)
model_name = self.safe_model_name(params, key_type, only)
return if model_name.nil?
model = model_name.constantize
......@@ -20,12 +20,10 @@ class PolymorphicObjectFinder
private
def self.find_model_name(params, key_type, only)
if only.any?
# Whitelist user input
only.detect { |item| item == params[key_type] }
else
params[key_type]
end
# Whitelist user input
def self.safe_model_name(params, key_type, only)
only.detect { |item|
item == params[key_type]
}
end
end
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment