Address brakeman security concern re: dispatching controller method via path

Author: rsmithlal

app/controllers/better_together/setup_wizard_steps_controller.rb

@@ -6,7 +6,7 @@ class SetupWizardStepsController < WizardStepsController
     skip_before_action :determine_wizard_outcome, only: %i[create_host_platform create_admin]
 
     def redirect
-      public_send params[:path]
+      public_send permitted_path(params[:path])
     end
 
     def platform_details
@@ -116,6 +116,10 @@ def create_admin # rubocop:todo Metrics/AbcSize, Metrics/MethodLength
 
     private
 
+    def permitted_path path
+      path if %w[platform_details create_host_platform admin_creation create_admin].include?(path)
+    end
+
     def base_platform
       ::BetterTogether::Platform.new(
         url: helpers.base_url,