field.singularize.classify.constantize
can cause arbitrary class loading or potential exploitation / unexpected behavior
model_class = ALLOWED_ASSOCIATIONS[field.to_sym]
fail %(Association "#{field}" not allowed) unless model_class
filter_result = parse_filters(data, safe, model_class)
fix to this
field.singularize.classify.constantize
can cause arbitrary class loading or potential exploitation / unexpected behavior
model_class = ALLOWED_ASSOCIATIONS[field.to_sym]
fail %(Association "#{field}" not allowed) unless model_class
filter_result = parse_filters(data, safe, model_class)
fix to this