Summary

Brakeman flagged unsafe reflection / constantize called on (or derived from) request parameters.

Findings:

• core: app/queries/workarea/admin_search_query_wrapper.rb:27 -> params[:model_type].constantize
• admin: app/controllers/workarea/admin/bulk_actions_controller.rb:7 -> params[:type].constantize
• admin: app/controllers/workarea/admin/create_segments_controller.rb:66 -> "Workarea::Segment::Rules::#{params[:rule_type].to_s.camelize}".constantize
• admin: app/controllers/workarea/admin/segment_rules_controller.rb:59 -> same pattern

Risk: constant injection / unexpected class loading (Brakeman classifies as RCE risk).

Objective

Eliminate unsafe constantize usage sourced from request params by replacing it with an explicit allowlist mapping.

Acceptance Criteria

• All Brakeman “unsafe reflection/constantize” warnings listed above are resolved.
• Request params are validated against an explicit allowlist before constant lookup.
• Unknown/invalid param values are handled safely (e.g., 404 or validation error) without raising.
• Add/adjust tests to cover at least one rejected value for each endpoint.

Verification Plan

• Run Brakeman and confirm the warnings are gone.
• Run the targeted test(s) for affected controllers/queries.

Client Impact

None expected (security hardening; behavior for invalid inputs becomes safer).