Merge pull request #252 from robzolkos/safe-account

Fix account param safety

app/controllers/accounts_controller.rb

@@ -33,8 +33,10 @@ class AccountsController < ApplicationController
   end
 
   def account_type_class
-    params[:type].constantize
-  rescue
-    Account # Default to Account if type is not provided or invalid
+    if params[:type].present? && Account::VALID_ACCOUNT_TYPES.include?(params[:type])
+      params[:type].constantizes
+    else
+      Account # Default to Account if type is not provided or invalid
+    end
   end
 end

app/models/account.rb

@@ -1,3 +1,5 @@
 class Account < ApplicationRecord
   belongs_to :family
+
+  VALID_ACCOUNT_TYPES = %w[Investment Depository Credit Loan Property Vehicle OtherAsset OtherLiability].freeze
 end

app/models/depository.rb

@@ -1,2 +1,2 @@
 class Depository < Account
-end
+end

config/routes.rb

@@ -6,9 +6,9 @@ Rails.application.routes.draw do
 
   resources :accounts
 
-  scope 'accounts/new' do
-    scope 'bank' do
-      get '', to: 'accounts#new_bank', as: 'new_bank'
+  scope "accounts/new" do
+    scope "bank" do
+      get "", to: "accounts#new_bank", as: "new_bank"
     end
   end