SECURITY: Sanitize YouTube video_id and list_id values (#481)

SECURITY: Sanitize YouTube video_id and list_id values (#481)

diff --git a/lib/onebox/engine/youtube_onebox.rb b/lib/onebox/engine/youtube_onebox.rb
index 81f822c..237a29e 100644
--- a/lib/onebox/engine/youtube_onebox.rb
+++ b/lib/onebox/engine/youtube_onebox.rb
@@ -89,25 +89,31 @@ module Onebox
 
       def video_id
         @video_id ||= begin
+          id = nil
+
           # http://youtu.be/afyK1HSFfgw
           if uri.host["youtu.be"]
             id = uri.path[/\/([\w\-]+)/, 1]
-            return id if id
           end
 
           # https://www.youtube.com/embed/vsF0K3Ou1v0
           if uri.path["/embed/"]
-            id = uri.path[/\/embed\/([\w\-]+)/, 1]
-            return id if id
+            id ||= uri.path[/\/embed\/([\w\-]+)/, 1]
           end
 
           # https://www.youtube.com/watch?v=Z0UISCEe52Y
-          params['v']
+          id ||= params['v']
+
+          sanitize_yt_id(id)
         end
       end
 
       def list_id
-        @list_id ||= params['list']
+        @list_id ||= sanitize_yt_id(params['list'])
+      end
+
+      def sanitize_yt_id(raw)
+        raw&.match?(/\A[\w-]+\z/) ? raw : nil
       end
 
       def embed_params
diff --git a/lib/onebox/version.rb b/lib/onebox/version.rb
index ef74665..475e0c3 100644
--- a/lib/onebox/version.rb
+++ b/lib/onebox/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Onebox
-  VERSION = "2.2.18"
+  VERSION = "2.2.19"
 end

GitHub sha: ac27cffac4ce590e5dd0576200d465663d274f2e

This commit appears in #481 which was approved by eviltrout. It was merged by davidtaylorhq.