category_group.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/category_group.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/category_group.rb or mark it as false positive.

user_warning.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_warning.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_warning.rb or mark it as false positive.

draft.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/draft.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/draft.rb or mark it as false positive.

screened_url.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/screened_url.rb:8


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/screened_url.rb or mark it as false positive.

theme_translation_override.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/theme_translation_override.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/theme_translation_override.rb or mark it as false positive.

linked_topic.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/linked_topic.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/linked_topic.rb or mark it as false positive.

user_avatar.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_avatar.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_avatar.rb or mark it as false positive.

user_open_id.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_open_id.rb:4


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_open_id.rb or mark it as false positive.

group_history.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_history.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_history.rb or mark it as false positive.

oauth2_user_info.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/oauth2_user_info.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/oauth2_user_info.rb or mark it as false positive.

theme_javascripts_controller.rb
code Critical
File Access
Discovered 3 months ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/theme_javascripts_controller.rb:34

send_file("#{"#{Rails.root}/tmp/javascript-cache"}/#{params[:digest]}.js", :disposition => :inline)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/theme_javascripts_controller.rb or mark it as false positive.

directory_item.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/directory_item.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/directory_item.rb or mark it as false positive.

category_tag.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/category_tag.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/category_tag.rb or mark it as false positive.

group_tag_notification_default.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_tag_notification_default.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_tag_notification_default.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:188

redirect_to(SiteSetting.discourse_connect_not_approved_url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

reviewable_history.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_history.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_history.rb or mark it as false positive.

given_daily_like.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/given_daily_like.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/given_daily_like.rb or mark it as false positive.

user_ip_address_history.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_ip_address_history.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_ip_address_history.rb or mark it as false positive.

color_scheme_color.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/color_scheme_color.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/color_scheme_color.rb or mark it as false positive.

topic_allowed_group.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_allowed_group.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_allowed_group.rb or mark it as false positive.

group_category_notification_default.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_category_notification_default.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_category_notification_default.rb or mark it as false positive.

site_settings_controller.rb
code Critical
Dangerous Send
Discovered 3 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/site_settings_controller.rb:34

SiteSetting.send((params[:id] or SiteSettings::DeprecatedSettings::SETTINGS.find do
 break new_name if (old_name == params[:id])
 end))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/site_settings_controller.rb or mark it as false positive.

post_action_type.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_action_type.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_action_type.rb or mark it as false positive.

tag.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/tag.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/tag.rb or mark it as false positive.

reviewable_flagged_post.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_flagged_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_flagged_post.rb or mark it as false positive.

reviewable.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable.rb or mark it as false positive.

backup_draft_post.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/backup_draft_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/backup_draft_post.rb or mark it as false positive.

web_hook_event.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/web_hook_event.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/web_hook_event.rb or mark it as false positive.

static_controller.rb
code Critical
Dynamic Render Path
Discovered 3 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:78

render(action => (("static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.#{I18n.locale}" or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.en") or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

topic_user.rb
code Critical
Attribute Restriction
Discovered 3 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.