Fix: Validate confirmed query parameter in Person API

src/api/app/controllers/person_controller.rb

@@ -14,9 +14,20 @@ class PersonController < ApplicationController
   before_action :require_admin, only: [:post_userinfo], if: -> { %w[delete lock].include?(params[:cmd]) }
 
   def show
+    if params.key?(:confirmed)
+      allowed = %w[true false 1 0]
+
+      unless allowed.include?(params[:confirmed].to_s)
+        return render_error(
+          status: 400,
+          errorcode: 'invalid_parameter',
+          message: "Invalid value for 'confirmed'. Allowed values: #{allowed.join(', ')}"
+        )
+      end
+    end
     @list = if params[:prefix]
               User.where('login LIKE ?', "#{params[:prefix]}%")
-            elsif params[:confirmed]
+            elsif %w[true 1].include?(params[:confirmed].to_s)
               User.confirmed
             else
               User.not_deleted

src/api/test/functional/person_controller_test.rb

@@ -27,6 +27,36 @@ def test_index
     assert_response :success
   end
 
+  def test_confirmed_param_validation
+    login_adrian
+
+    # valid: true
+    get '/person?confirmed=true'
+    assert_response :success
+
+    # valid: false
+    get '/person?confirmed=false'
+    assert_response :success
+
+    # valid: numeric true
+    get '/person?confirmed=1'
+    assert_response :success
+
+    # valid: numeric false
+    get '/person?confirmed=0'
+    assert_response :success
+
+    # invalid: random string
+    get '/person?confirmed=abc'
+    assert_response :bad_request
+    assert_xml_tag tag: 'status', attributes: { code: 'invalid_parameter' }
+
+    # invalid: empty value
+    get '/person?confirmed='
+    assert_response :bad_request
+    assert_xml_tag tag: 'status', attributes: { code: 'invalid_parameter' }
+  end
+
   def test_ichain
     login_adrian
     get '/person/tom', headers: { 'username' => 'fred' }