Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:137

send_file(Discourse.store.path_for(get_optimized_image((Upload.find_by(:id => upload_id.to_i) or User.find_by(:username_lower => params[:username].to_s.downcase).uploaded_avatar), params[:size].to_i)), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.