We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:44

send_file(Discourse.store.path_for((Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"]))), :filename => (Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"])).original_filename, :disposition => "inline")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.