draft.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/draft.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/draft.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered 4 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:188

redirect_to(SiteSetting.discourse_connect_not_approved_url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

screened_url.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/screened_url.rb:8


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/screened_url.rb or mark it as false positive.

reviewable_history.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_history.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_history.rb or mark it as false positive.

given_daily_like.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/given_daily_like.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/given_daily_like.rb or mark it as false positive.

category_group.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/category_group.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/category_group.rb or mark it as false positive.

theme_translation_override.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/theme_translation_override.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/theme_translation_override.rb or mark it as false positive.

user_ip_address_history.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_ip_address_history.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_ip_address_history.rb or mark it as false positive.

group_tag_notification_default.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_tag_notification_default.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_tag_notification_default.rb or mark it as false positive.

color_scheme_color.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/color_scheme_color.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/color_scheme_color.rb or mark it as false positive.

topic_allowed_group.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_allowed_group.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_allowed_group.rb or mark it as false positive.

topic_invite.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_invite.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_invite.rb or mark it as false positive.

linked_topic.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/linked_topic.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/linked_topic.rb or mark it as false positive.

user_warning.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_warning.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_warning.rb or mark it as false positive.

topic_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

site_settings_controller.rb
code Critical
Dangerous Send
Discovered 4 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/site_settings_controller.rb:34

SiteSetting.send((params[:id] or SiteSettings::DeprecatedSettings::SETTINGS.find do
 break new_name if (old_name == params[:id])
 end))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/site_settings_controller.rb or mark it as false positive.

category_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/category_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/category_user.rb or mark it as false positive.

post_action_type.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_action_type.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_action_type.rb or mark it as false positive.

invited_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/invited_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/invited_user.rb or mark it as false positive.

topic_thumbnail.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_thumbnail.rb:9


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_thumbnail.rb or mark it as false positive.

topic_timer.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_timer.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_timer.rb or mark it as false positive.

reviewable_flagged_post.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_flagged_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_flagged_post.rb or mark it as false positive.

api_key.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/api_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/api_key.rb or mark it as false positive.

user_export.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_export.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_export.rb or mark it as false positive.

webhooks_controller.rb
code Critical
Cross-Site Request Forgery
Discovered 4 months ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: High

Problem

'protect_from_forgery' should be called in WebhooksController

Location

app/controllers/webhooks_controller.rb:5


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/webhooks_controller.rb or mark it as false positive.

backup_draft_post.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/backup_draft_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/backup_draft_post.rb or mark it as false positive.

email_change_request.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/email_change_request.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/email_change_request.rb or mark it as false positive.

optimized_image.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/optimized_image.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

static_controller.rb
code Critical
Dynamic Render Path
Discovered 4 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:78

render(action => (("static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.#{I18n.locale}" or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.en") or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

user_api_key.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_api_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_api_key.rb or mark it as false positive.