Whitelist valid step param values

2026-02-27 01:43:22 +00:00 · 2022-01-12 22:40:04 +00:00
parent b850fd6fda
commit 1d4803c31a
1 changed files with 7 additions and 1 deletions
--- a/app/controllers/split_checkout_controller.rb
+++ b/app/controllers/split_checkout_controller.rb
@@ -53,7 +53,8 @@ class SplitCheckoutController < ::BaseController

    @order.select_shipping_method(params[:shipping_method_id])
    @order.update(order_params)
-    send("validate_#{params[:step]}!")
+
+    validate_current_step!

    @order.errors.empty?
  end
@@ -68,6 +69,11 @@ class SplitCheckoutController < ::BaseController
    OrderWorkflow.new(@order).advance_checkout(raw_params.slice(:shipping_method_id))
  end

+  def validate_current_step!
+    step = params[:step].tap{ |step| ["details", "payment", "summary"].include? step }
+    send("validate_#{step}!")
+  end
+
  def validate_details!
    return true if params[:shipping_method_id].present?