The Person API PersonController#show accepts a query parameter confirmed. However, the code does not validate the type or value of this parameter, it only checks for its presence. We should restrict this parameter to accept only the allowed values.

https://github.com/openSUSE/open-build-service/blob/master/src/api/app/controllers/person_controller.rb#L19