Use strong parameters pattern for Community sort user input

[pgwillia]

Jupiter relies on the lower layers (e.g., active record, Solr) to validate http request parameters. For example, in this case sort is passed with the stringified SQL injection attempt. This could be handled at a higher code level (maybe model or controller) where the set of possible sortable fields is known and the string thrown out before reaching ActiveRecord.

https://guides.rubyonrails.org/v7.1/action_controller_overview.html#strong-parameters

View details in Rollbar: https://app.rollbar.com/a/ualbertalib/fix/item/jupiter/2022

ActiveRecord::UnknownAttributeReference: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(/**//**/sElEcT 1 /**//**/fRoM(/**//**/sElEcT count(*),/**//**/cOnCaT((/**//**/sElEcT (/**//**/sElEcT /**//**/uNhEx(/**//**/hEx(/**//**/cOnCaT(0x7e,0x413936313543373834333044,0x7e)))) /**//**/fRoM information_schema./**//**/tAbLeS /**//**/lImIt 0,1),floor(rand(0)*2))x /**//**/fRoM information_schema./**//**/tAbLeS group by x)a)".This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql().
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/sanitization.rb", line 184, in disallow_raw_sql!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 1875, in preprocess_order_args
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 604, in order!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 599, in order
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/querying.rb", line 23, in order
  File "/var/www/sites/jupiter/app/controllers/communities_controller.rb", line 7, in block (2 levels) in index
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/mime_responds.rb", line 214, in respond_to
  File "/var/www/sites/jupiter/app/controllers/communities_controller.rb", line 5, in index
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/basic_implicit_render.rb", line 6, in send_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/base.rb", line 224, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/rendering.rb", line 165, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/callbacks.rb", line 259, in block in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 121, in block in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actiontext-7.1.3.4/lib/action_text/rendering.rb", line 23, in with_renderer
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actiontext-7.1.3.4/lib/action_text/engine.rb", line 69, in block (4 levels) in <class:Engine>
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 130, in instance_exec
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 130, in block in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 141, in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/callbacks.rb", line 258, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/rescue.rb", line 25, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/instrumentation.rb", line 74, in block in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications.rb", line 206, in block in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications/instrumenter.rb", line 58, in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications.rb", line 206, in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/instrumentation.rb", line 73, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/params_wrapper.rb", line 261, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/railties/controller_runtime.rb", line 32, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/base.rb", line 160, in process
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionview-7.1.3.4/lib/action_view/rendering.rb", line 40, in process
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal.rb", line 227, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal.rb", line 309, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 49, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 32, in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 51, in block in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 131, in block in find_routes
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 124, in each
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 124, in find_routes
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 32, in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 882, in call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/flipper-1.3.0/lib/flipper/middleware/memoizer.rb", line 87, in memoized_call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/flipper-1.3.0/lib/flipper/middleware/memoizer.rb", line 45, in call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb", line 470, in call_app!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/omniauth-saml-2.1.0/lib/omniauth/strategies/saml.rb", line 86, in other_phase
  F

[pgwillia]

https://docs.google.com/presentation/d/1CTn2kwHuAqq1ImCziQYeyJj1H4p0UfWPxsEt0mArrUU/edit