Merge pull request #252 from robzolkos/safe-account

Fix account param safety
2025-08-02 20:15:22 +02:00 · 2024-02-02 11:09:14 -06:00 · 2024-02-02 11:09:14 -06:00 · 775c42c1d6
commit 775c42c1d6
parent a586d63027 f1909b3bf2
4 changed files with 11 additions and 7 deletions
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@ -33,8 +33,10 @@ class AccountsController < ApplicationController
  end

  def account_type_class
-    params[:type].constantize
-  rescue
-    Account # Default to Account if type is not provided or invalid
+    if params[:type].present? && Account::VALID_ACCOUNT_TYPES.include?(params[:type])
+      params[:type].constantizes
+    else
+      Account # Default to Account if type is not provided or invalid
+    end
  end
 end
--- a/app/models/account.rb
+++ b/app/models/account.rb
@ -1,3 +1,5 @@
 class Account < ApplicationRecord
  belongs_to :family
+
+  VALID_ACCOUNT_TYPES = %w[Investment Depository Credit Loan Property Vehicle OtherAsset OtherLiability].freeze
 end
--- a/app/models/depository.rb
+++ b/app/models/depository.rb
@ -1,2 +1,2 @@
 class Depository < Account
-end
+end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -6,9 +6,9 @@ Rails.application.routes.draw do

  resources :accounts

-  scope 'accounts/new' do
-    scope 'bank' do
-      get '', to: 'accounts#new_bank', as: 'new_bank'
+  scope "accounts/new" do
+    scope "bank" do
+      get "", to: "accounts#new_bank", as: "new_bank"
    end
  end