From 5fde95565abc791b40187f20c77a81ec1b342111 Mon Sep 17 00:00:00 2001
From: rulingcom <orbit@rulingcom.com>
Date: Thu, 28 Nov 2024 18:37:25 +0800
Subject: [PATCH] fix for security issue

---
 app/controllers/property_hires_controller.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/app/controllers/property_hires_controller.rb b/app/controllers/property_hires_controller.rb
index 565512a..fcc699f 100644
--- a/app/controllers/property_hires_controller.rb
+++ b/app/controllers/property_hires_controller.rb
@@ -367,6 +367,9 @@ class PropertyHiresController < ApplicationController
 
 
   def get_bookings
+    if !(valid_timestamp?(params[:start]) && valid_timestamp?(params[:end]))
+      return render json: {}, status: :unprocessable_entity
+    end
     events =[]
     allevents = []
     if params[:property_id] == "all"
@@ -667,4 +670,15 @@ class PropertyHiresController < ApplicationController
     return allevents
   end
 
+  def valid_timestamp?(number)
+    begin
+      # Ensure the input is numeric and within a practical range
+      number = Integer(number) rescue Float(number)
+      min_timestamp = Time.new(1900, 1, 1).to_i
+      max_timestamp = Time.new(3000, 12, 31).to_i
+      number >= min_timestamp && number <= max_timestamp
+    rescue ArgumentError, TypeError
+      false
+    end
+  end
 end