From 1d4803c31abbef53c6104d81f4aa95db38308299 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Wed, 12 Jan 2022 22:40:04 +0000
Subject: [PATCH] Whitelist valid step param values

---
 app/controllers/split_checkout_controller.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/app/controllers/split_checkout_controller.rb b/app/controllers/split_checkout_controller.rb
index 6ff7c24188..25775745f0 100644
--- a/app/controllers/split_checkout_controller.rb
+++ b/app/controllers/split_checkout_controller.rb
@@ -53,7 +53,8 @@ class SplitCheckoutController < ::BaseController
 
     @order.select_shipping_method(params[:shipping_method_id])
     @order.update(order_params)
-    send("validate_#{params[:step]}!")
+
+    validate_current_step!
 
     @order.errors.empty?
   end
@@ -68,6 +69,11 @@ class SplitCheckoutController < ::BaseController
     OrderWorkflow.new(@order).advance_checkout(raw_params.slice(:shipping_method_id))
   end
 
+  def validate_current_step!
+    step = params[:step].tap{ |step| ["details", "payment", "summary"].include? step }
+    send("validate_#{step}!")
+  end
+
   def validate_details!
     return true if params[:shipping_method_id].present?