Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/category.rb:767

Permalink.create(:url => Permalink.normalize_url(((+"#{Discourse.base_path}/c" << "/#{parent_category.slug_path.join("/")}") << "/#{saved_changes.transform_values(&:first)["slug"]}/#{id}")), :category_id => id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/category.rb or mark it as false positive.