From d35ee8de80fa4fefad1ae6f9d0e722a78d4fd15d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Gaya?= <sebastien.gaya@gmail.com>
Date: Fri, 8 Dec 2023 16:17:27 +0100
Subject: [PATCH] force whitelist

---
 app/services/polymorphic_object_finder.rb | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/app/services/polymorphic_object_finder.rb b/app/services/polymorphic_object_finder.rb
index 4e44c6458..a5d8acef2 100644
--- a/app/services/polymorphic_object_finder.rb
+++ b/app/services/polymorphic_object_finder.rb
@@ -10,7 +10,7 @@ class PolymorphicObjectFinder
   def self.find(params, key:, university:, only: [])
     key_id = "#{key}_id".to_sym
     key_type = "#{key}_type".to_sym
-    model_name = self.find_model_name(params, key_type, only)
+    model_name = self.safe_model_name(params, key_type, only)
     return if model_name.nil?
 
     model = model_name.constantize
@@ -20,12 +20,10 @@ class PolymorphicObjectFinder
 
   private
 
-  def self.find_model_name(params, key_type, only)
-    if only.any?
-      # Whitelist user input
-      only.detect { |item| item == params[key_type] }
-    else
-      params[key_type]
-    end
+  # Whitelist user input
+  def self.safe_model_name(params, key_type, only)
+    only.detect { |item|
+      item == params[key_type]
+    }
   end
 end
\ No newline at end of file
-- 
GitLab