People are trying things.. Only allow valid eventType values.

stefansundin · Nov 22, 2018 · 3acc6f0 · 3acc6f0
1 parent de5013d
commit 3acc6f0
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/app.rb b/app.rb
@@ -243,7 +243,11 @@
   end
 
   ids = if params[:eventType]
-    params[:eventType].split(",").map do |eventType|
+    eventTypes = params[:eventType].split(",")
+    if eventTypes.any? { |type| !%w[completed live upcoming].include?(type) }
+      return [400, "Invalid eventType. Valid types: completed live upcoming."]
+    end
+    eventTypes.map do |eventType|
       query[:eventType] = eventType
       response = Google.get("/youtube/v3/search", query: query)
       raise(GoogleError, response) if !response.success?