feat: Implement source type validation in Joatu controllers and enhance Exchange concern

Author: rsmithlal

app/controllers/better_together/joatu/joatu_controller.rb

@@ -25,6 +25,19 @@ def resource_params # rubocop:todo Metrics/CyclomaticComplexity, Metrics/MethodL
 
         rp
       end
+
+      private
+
+      # Safely resolve a source_type parameter to a valid Joatu model class
+      # Allow-list only classes that include the Exchange concern to prevent security issues
+      def joatu_source_class(source_type_param)
+        param_type = source_type_param.to_s
+
+        # Dynamically build allow-list from models that include the Exchange concern
+        valid_source_types = BetterTogether::Joatu::Exchange.included_in_models
+        
+        valid_source_types.find { |klass| klass.to_s == param_type }
+      end
     end
   end
 end

app/controllers/better_together/joatu/offers_controller.rb

@@ -82,7 +82,9 @@ def new # rubocop:todo Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedC
         resource_instance
         # If source params were provided, load and authorize the source so the view can safely render it
         if (source_type = params[:source_type].presence) && (source_id = params[:source_id].presence)
-          source_klass = source_type.to_s.safe_constantize
+          source_klass = joatu_source_class(source_type)
+          return unless source_klass
+
           @source = source_klass&.with_translations&.includes(:categories, :address, creator: :string_translations)&.find_by(id: source_id) # rubocop:disable Layout/LineLength,Style/SafeNavigationChainLength
           begin
             authorize @source if @source

app/controllers/better_together/joatu/requests_controller.rb

@@ -87,7 +87,9 @@ def new # rubocop:todo Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/Me
         resource_instance
         # If source params were provided, load and authorize the source so the view can safely render it
         if (source_type = params[:source_type].presence) && (source_id = params[:source_id].presence)
-          source_klass = source_type.to_s.safe_constantize
+          source_klass = joatu_source_class(source_type)
+          return unless source_klass
+
           @source = source_klass&.with_translations&.includes(:categories, :address, creator: :string_translations)&.find_by(id: source_id) # rubocop:disable Layout/LineLength,Style/SafeNavigationChainLength
           begin
             authorize @source if @source

app/controllers/better_together/joatu/response_links_controller.rb

@@ -21,7 +21,13 @@ def create # rubocop:todo Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics
                                alert: 'Invalid source'
         end
 
-        source = source_type.constantize.with_translations.includes(:categories, :address, creator: :string_translations).find_by(id: source_id) # rubocop:disable Layout/LineLength
+        source_klass = joatu_source_class(source_type)
+        unless source_klass
+          return redirect_back fallback_location: joatu_hub_path,
+                               alert: 'Invalid source type'
+        end
+
+        source = source_klass.with_translations.includes(:categories, :address, creator: :string_translations).find_by(id: source_id) # rubocop:disable Layout/LineLength
         return redirect_back fallback_location: joatu_hub_path, alert: 'Source not found' unless source
 
         # Only allow creating responses against sources that are open or already matched

app/models/concerns/better_together/joatu/exchange.rb

@@ -60,6 +60,12 @@ def permitted_attributes(id: false, destroy: false)
         end
       end
 
+      def self.included_in_models
+        included_module = self
+        Rails.application.eager_load! if Rails.env.development? # Ensure all models are loaded
+        ActiveRecord::Base.descendants.select { |model| model.included_modules.include?(included_module) }
+      end
+
       # Return matching counterpart records (requests for offers, offers for requests)
       def find_matches
         BetterTogether::Joatu::Matchmaker.match(self)