Prevent DOS attack via Symbol injection in AdminController

just3ws · just3ws · commit dd28ce7678d2 · 2014-05-13T16:03:49.000-05:00
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
@@ -47,6 +47,11 @@ def sections_teams
   end
 
   def section_teams
-    @teams = Team.with_completed_section(params[:section].to_sym)
+    @teams = Team.with_completed_section(parse_section_name(params[:section]))
   end
-end
+
+  def parse_section_name(section_name)
+    name = Team::SECTIONS.select { |section| section == section_name }.first
+    return name.to_sym unless name.nil?
+  end
+end
