Ensure that permitted event host types are allow-listed to prevent security issues

rsmithlal · rsmithlal · commit c0356693818e · 2025-08-20T19:32:10.000-02:30
diff --git a/app/controllers/better_together/events_controller.rb b/app/controllers/better_together/events_controller.rb
@@ -21,10 +21,9 @@ def index
     def build_event_hosts # rubocop:disable Metrics/AbcSize
       return unless params[:host_id].present? && params[:host_type].present?
 
-      host_klass = params[:host_type].safe_constantize
-      return unless host_klass
+      return unless event_host_class
 
-      policy_scope = Pundit.policy_scope!(current_user, host_klass)
+      policy_scope = Pundit.policy_scope!(current_user, event_host_class)
       host_record = policy_scope.find_by(id: params[:host_id])
       return unless host_record
 
@@ -34,6 +33,14 @@ def build_event_hosts # rubocop:disable Metrics/AbcSize
       )
     end
 
+    def event_host_class
+      param_type = params[:host_type]
+
+      # Allow-list only specific classes to be set as host for an event
+      valid_host_types = BetterTogether::HostsEvents.included_in_models
+      valid_host_types.find { |klass| klass.to_s == param_type }
+    end
+
     def resource_class
       ::BetterTogether::Event
     end
diff --git a/app/models/better_together/person.rb b/app/models/better_together/person.rb
@@ -12,6 +12,7 @@ def self.primary_community_delegation_attrs
     include Author
     include Contactable
     include FriendlySlug
+    include HostsEvents
     include Identifier
     include Identity
     include Member
diff --git a/app/models/concerns/better_together/hosts_events.rb b/app/models/concerns/better_together/hosts_events.rb
@@ -2,12 +2,19 @@
 
 module BetterTogether
   # Concern that when included gives the model access to events through event_host records
+  # This module must be included in a model to permit assigning instances as an event host
   module HostsEvents
     extend ActiveSupport::Concern
 
     included do
       has_many :event_hosts, as: :host
       has_many :hosted_events, through: :event_hosts, source: :event
     end
+
+    def self.included_in_models
+      included_module = self
+      Rails.application.eager_load! if Rails.env.development? # Ensure all models are loaded
+      ActiveRecord::Base.descendants.select { |model| model.included_modules.include?(included_module) }
+    end
   end
 end
