We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak


Model attribute used in file name



FileUtils.rm(((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(upload)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.