Mitigate potential denial of service issue by whitelisting bucket parameter.

steveyken · steveyken · commit 6b0ef26b1fec · 2022-10-07T09:16:31.000+08:00
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
@@ -188,6 +188,7 @@ def self.find_all_grouped(user, view)
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
 
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count
