FIX: Better and more secure validation of periods for TopicQuery

Co-authored-by: Martin Brennan <mjrbrennan@gmail.com>

app/controllers/embed_controller.rb

@@ -57,8 +57,13 @@ class EmbedController < ApplicationController
     end
 
     topic_query = TopicQuery.new(current_user, list_options)
-    top_period = params[:top_period]&.to_sym
-    valid_top_period = TopTopic.periods.include?(top_period)
+    top_period = params[:top_period]
+    begin
+      TopTopic.validate_period(top_period)
+      valid_top_period = true
+    rescue Discourse::InvalidParameters
+      valid_top_period = false
+    end
 
     @list = if valid_top_period
       topic_query.list_top_for(top_period)

app/controllers/list_controller.rb

@@ -218,6 +218,8 @@ class ListController < ApplicationController
     @atom_link = "#{Discourse.base_url}/top.rss"
     @description = I18n.t("rss_description.top")
     period = params[:period] || SiteSetting.top_page_default_timeframe.to_sym
+    TopTopic.validate_period(period)
+
     @topic_list = TopicQuery.new(nil).list_top_for(period)
 
     render 'list', formats: [:rss]

app/controllers/tags_controller.rb

@@ -90,6 +90,8 @@ class TagsController < ::ApplicationController
 
       if filter == :top
         period = params[:period] || SiteSetting.top_page_default_timeframe.to_sym
+        TopTopic.validate_period(period)
+
         @list = TopicQuery.new(current_user, list_opts).public_send("list_top_for", period)
         @list.for_period = period
       else