From 9aa9f9981029543ef51ccb1788de32e416a0b91a Mon Sep 17 00:00:00 2001 From: Rob Zolkos Date: Fri, 2 Feb 2024 16:54:15 +0000 Subject: [PATCH 1/2] Fix account param safety --- app/controllers/accounts_controller.rb | 10 +++++++--- app/models/depository.rb | 2 +- config/routes.rb | 6 +++--- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 52e05739..18d6106e 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -33,8 +33,12 @@ class AccountsController < ApplicationController end def account_type_class - params[:type].constantize - rescue - Account # Default to Account if type is not provided or invalid + valid_account_types = %w[Checking CreditCard] + + if params[:type].present? && valid_account_types.include?(params[:type]) + params[:type].constantizes + else + Account # Default to Account if type is not provided or invalid + end end end diff --git a/app/models/depository.rb b/app/models/depository.rb index 64413a49..bacbb9e6 100644 --- a/app/models/depository.rb +++ b/app/models/depository.rb @@ -1,2 +1,2 @@ class Depository < Account -end \ No newline at end of file +end diff --git a/config/routes.rb b/config/routes.rb index 0a4af242..3edbdf2a 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -6,9 +6,9 @@ Rails.application.routes.draw do resources :accounts - scope 'accounts/new' do - scope 'bank' do - get '', to: 'accounts#new_bank', as: 'new_bank' + scope "accounts/new" do + scope "bank" do + get "", to: "accounts#new_bank", as: "new_bank" end end From f1909b3bf26d15fb7919b5d37a269d7822cbf1fb Mon Sep 17 00:00:00 2001 From: Rob Zolkos Date: Fri, 2 Feb 2024 17:01:47 +0000 Subject: [PATCH 2/2] Add initial list of valid account types --- app/controllers/accounts_controller.rb | 4 +--- app/models/account.rb | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 18d6106e..44b1aff9 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -33,9 +33,7 @@ class AccountsController < ApplicationController end def account_type_class - valid_account_types = %w[Checking CreditCard] - - if params[:type].present? && valid_account_types.include?(params[:type]) + if params[:type].present? && Account::VALID_ACCOUNT_TYPES.include?(params[:type]) params[:type].constantizes else Account # Default to Account if type is not provided or invalid diff --git a/app/models/account.rb b/app/models/account.rb index 9f130896..73a8b482 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -1,3 +1,5 @@ class Account < ApplicationRecord belongs_to :family + + VALID_ACCOUNT_TYPES = %w[Investment Depository Credit Loan Property Vehicle OtherAsset OtherLiability].freeze end