user_history.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_history.rb:123

self.where(:action => filters[:action_id]).where(:custom_type => filters[:custom_type]).where("#{key}_id = ?", User.where(:username_lower => filters[key].downcase).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_history.rb or mark it as false positive.

user_search.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_search.rb:95

User.joins("JOIN (SELECT unnest uid, row_number() OVER () AS rn\n      FROM unnest('{#{search_ids.join(",")}}'::int[])\n    ) x on uid = users.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:442

Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).sum("#{post_action_type_key}_count")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

group_history.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group_history.rb:42

self.includes(:acting_user, :target_user).where(:group_id => group.id).order("group_histories.created_at DESC").where(:action => self.actions[params.slice(*filters)[:action].to_sym]).where(:subject => params.slice(*filters)[:subject]).where("#{filter}_id" => User.where(:username_lower => params.slice(*filters)[filter]).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group_history.rb or mark it as false positive.

application_controller.rb
code Severe
Cross-Site Request Forgery
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: Medium

Problem

protect_from_forgery should be configured with 'with: :exception'

Location

app/controllers/application_controller.rb


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

emoji.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/models/emoji.rb:73

File.open("#{Emoji.base_directory}/#{name}#{File.extname(file.original_filename)}", "wb")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/emoji.rb or mark it as false positive.

upload.rb
code Severe
Command Injection
Discovered almost 5 years ago
Source: static code analysis
Category: Command Injection
Confidence level: Medium

Problem

Possible command injection

Location

app/models/upload.rb:249

`convert #{path} -auto-orient #{path}`

Category description: Command injection occurs when shell commands unsafely include user-manipulatable values.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

group.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group.rb:225

GroupUser.joins("RIGHT JOIN (#{case name
when :admins then
  "SELECT u.id FROM users u WHERE u.admin"
when :moderators then
  "SELECT u.id FROM users u WHERE u.moderator"
when :staff then
  "SELECT u.id FROM users u WHERE u.moderator OR u.admin"
when :trust_level_1, :trust_level_2, :trust_level_3, :trust_level_4 then
  "SELECT u.id FROM users u WHERE u.trust_level >= #{({ :everyone => 0, :admins => 1, :moderators => 2, :staff => 3, :trust_level_0 => 10, :trust_level_1 => 11, :trust_level_2 => 12, :trust_level_3 => 13, :trust_level_4 => 14 }[name] - 10)}"
when :trust_level_0 then
  "SELECT u.id FROM users u"
else
  # do nothing
end}) X ON X.id = user_id AND group_id = #{(self.lookup_group(name) or Group.new(:name => name.to_s, :automatic => true)).id}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:116

send_file(Discourse.store.path_for(get_optimized_image((Upload.find_by(:id => upload_id.to_i) or User.find_by(:username_lower => params[:username].to_s.downcase).uploaded_avatar), params[:size].to_i)), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:27

crawlable_meta_data(:title => Topic.find_by_id(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[(params[:id] or "faq")][:topic_id])).title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribed.html.erb:11

t("unsubscribed.topic_description", :link => render_topic_title(Topic.find_by(:id => params[:topic_id].to_i)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

uploads_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:85

File.open("#{File.dirname((FileHelper.download(url, [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse-upload-#{type}") rescue nil or file.tempfile).path)}/image.jpg")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

uploads_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:44

send_file(Discourse.store.path_for((Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"]))), :filename => (Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"])).original_filename, :disposition => "inline")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:285

File.open(((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(upload)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:61

send_file(LetterAvatar.generate(params[:username].to_s, params[:size].to_i), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:30

t("unsubscribe.mute_topic", :link => render_topic_title(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:295

FileUtils.rm(((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(upload)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/categories/index.html.erb:17

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/categories/index.html.erb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:44

send_file(LetterAvatar.generate(params[:letter].to_s, params[:size].to_i, :identity => LetterAvatar::Identity.new), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

posts_controller.rb
code Moderate
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/posts_controller.rb:131

redirect_to(path(Post.find(params[:post_id].to_i).url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/posts_controller.rb or mark it as false positive.

optimized_image.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/optimized_image.rb:272

FileUtils.rm(((FileHelper.download(((SiteSetting.scheme + ":") + optimized_image.url.dup), SiteSetting.max_image_size_kb.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(optimized_image)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/about/index.html.erb:109

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/about/index.html.erb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:40

t("unsubscribe.unwatch_category", :category => category_badge(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic).category))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

invites_controller.rb
code Moderate
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/invites_controller.rb:31

redirect_to(path("#{Invite.find_by(:invite_key => params[:id]).topics.first.relative_url}"))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/invites_controller.rb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:23

t("unsubscribe.stop_watching_topic", :link => render_topic_title(((UnsubscribeKey.find_by(:key => params[:key]).post and UnsubscribeKey.find_by(:key => params[:key]).post.topic) or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

optimized_image.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/optimized_image.rb:263

File.open(((FileHelper.download(((SiteSetting.scheme + ":") + optimized_image.url.dup), SiteSetting.max_image_size_kb.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(optimized_image)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

emoji.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/emoji.rb:72

FileUtils.mkdir_p(Pathname.new("#{Emoji.base_directory}/#{name}#{File.extname(file.original_filename)}").dirname)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/emoji.rb or mark it as false positive.

invite.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/invite.rb:267

FileUtils.mkdir_p(Pathname.new("#{Invite.base_directory}/#{name}#{File.extname(file.original_filename)}").dirname)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/invite.rb or mark it as false positive.

login.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/login.html.erb:2

PrettyText.cook(I18n.t("login_required.welcome_message", :title => SiteSetting.title))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/login.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:65

crawlable_meta_data(:title => TopicView.new(params[:topic_id]).title, :description => TopicView.new(params[:topic_id]).summary, :image => TopicView.new(params[:topic_id]).image_url, :read_time => TopicView.new(params[:topic_id]).read_time, :like_count => TopicView.new(params[:topic_id]).like_count)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.