Mitigate potential denial of service issue by whitelisting bucket par…

…ameter.
fatfreecrm · Sep 10, 2022 · b699660 · b699660
1 parent e2097a2
commit b699660
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ def self.find_all_grouped(user, view)
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
 
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count