From b6996608a5ecc2053e9403c6a48af492bc46a355 Mon Sep 17 00:00:00 2001
From: Steve Kenworthy <steveyken@gmail.com>
Date: Sat, 10 Sep 2022 11:29:12 +0800
Subject: [PATCH] Mitigate potential denial of service issue by whitelisting
 bucket parameter.

---
 app/models/polymorphic/task.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32ccf..7cdb24d67e 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ def self.find_all_grouped(user, view)
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
 
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count