From 9aa9f9981029543ef51ccb1788de32e416a0b91a Mon Sep 17 00:00:00 2001
From: Rob Zolkos <rob@zolkos.com>
Date: Fri, 2 Feb 2024 16:54:15 +0000
Subject: [PATCH] Fix account param safety

---
 app/controllers/accounts_controller.rb | 10 +++++++---
 app/models/depository.rb               |  2 +-
 config/routes.rb                       |  6 +++---
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 52e05739..18d6106e 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -33,8 +33,12 @@ class AccountsController < ApplicationController
   end
 
   def account_type_class
-    params[:type].constantize
-  rescue
-    Account # Default to Account if type is not provided or invalid
+    valid_account_types = %w[Checking CreditCard]
+
+    if params[:type].present? && valid_account_types.include?(params[:type])
+      params[:type].constantizes
+    else
+      Account # Default to Account if type is not provided or invalid
+    end
   end
 end
diff --git a/app/models/depository.rb b/app/models/depository.rb
index 64413a49..bacbb9e6 100644
--- a/app/models/depository.rb
+++ b/app/models/depository.rb
@@ -1,2 +1,2 @@
 class Depository < Account
-end
\ No newline at end of file
+end
diff --git a/config/routes.rb b/config/routes.rb
index 0a4af242..3edbdf2a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -6,9 +6,9 @@ Rails.application.routes.draw do
 
   resources :accounts
 
-  scope 'accounts/new' do
-    scope 'bank' do
-      get '', to: 'accounts#new_bank', as: 'new_bank'
+  scope "accounts/new" do
+    scope "bank" do
+      get "", to: "accounts#new_bank", as: "new_bank"
     end
   end