Skip to content
Snippets Groups Projects
Unverified Commit d35ee8de authored by Sébastien Gaya's avatar Sébastien Gaya
Browse files

force whitelist

parent a3aeb727
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/services/polymorphic_object_finder.rb
+ 6
8
View file @ d35ee8de
...@@ -10,7 +10,7 @@ class PolymorphicObjectFinder ...@@ -10,7 +10,7 @@ class PolymorphicObjectFinder
def self.find(params, key:, university:, only: []) def self.find(params, key:, university:, only: [])
key_id = "#{key}_id".to_sym key_id = "#{key}_id".to_sym
key_type = "#{key}_type".to_sym key_type = "#{key}_type".to_sym
model_name = self.find_model_name(params, key_type, only) model_name = self.safe_model_name(params, key_type, only)
return if model_name.nil? return if model_name.nil?
model = model_name.constantize model = model_name.constantize
...@@ -20,12 +20,10 @@ class PolymorphicObjectFinder ...@@ -20,12 +20,10 @@ class PolymorphicObjectFinder
private private
def self.find_model_name(params, key_type, only) # Whitelist user input
if only.any? def self.safe_model_name(params, key_type, only)
# Whitelist user input only.detect { |item|
only.detect { |item| item == params[key_type] } item == params[key_type]
else }
params[key_type]
end
end end
end end
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment