Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/discourse_single_sign_on.rb:240

User.create!(:primary_email => UserEmail.new(:email => email, :primary => true), :name => ((name.presence or User.suggest_name((username.presence or email)))), :username => UserNameSuggester.suggest((username.presence or (name.presence or email))), :ip_address => ip_address, :locale => locale)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/discourse_single_sign_on.rb or mark it as false positive.