Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_embed.rb:73

TopicEmbed.create!(:topic_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.topic_id, :embed_url => normalize_url(url), :content_sha1 => Digest::SHA1.hexdigest((+"" << imported_from_html(url))), :post_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_embed.rb or mark it as false positive.