topic_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

oauth2_user_info.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/oauth2_user_info.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/oauth2_user_info.rb or mark it as false positive.

site_settings_controller.rb
code Critical
Dangerous Send
Discovered 4 months ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/site_settings_controller.rb:34

SiteSetting.send((params[:id] or SiteSettings::DeprecatedSettings::SETTINGS.find do
 break new_name if (old_name == params[:id])
 end))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/site_settings_controller.rb or mark it as false positive.

imap_sync_log.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/imap_sync_log.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/imap_sync_log.rb or mark it as false positive.

user_api_key.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_api_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_api_key.rb or mark it as false positive.

unsubscribe_key.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/unsubscribe_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/unsubscribe_key.rb or mark it as false positive.

post_action_type.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_action_type.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_action_type.rb or mark it as false positive.

theme_javascripts_controller.rb
code Critical
File Access
Discovered 4 months ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/theme_javascripts_controller.rb:34

send_file("#{"#{Rails.root}/tmp/javascript-cache"}/#{params[:digest]}.js", :disposition => :inline)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/theme_javascripts_controller.rb or mark it as false positive.

invited_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/invited_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/invited_user.rb or mark it as false positive.

tag.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/tag.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/tag.rb or mark it as false positive.

users_controller.rb
code Critical
Redirect
Discovered 4 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:936

redirect_to(cookies.delete(:destination_url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

post_reply.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_reply.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_reply.rb or mark it as false positive.

topic_timer.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_timer.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_timer.rb or mark it as false positive.

directory_item.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/directory_item.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/directory_item.rb or mark it as false positive.

reviewable_flagged_post.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_flagged_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_flagged_post.rb or mark it as false positive.

badge.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/badge.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/badge.rb or mark it as false positive.

user_profile.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_profile.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_profile.rb or mark it as false positive.

group_mention.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_mention.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_mention.rb or mark it as false positive.

user_export.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_export.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_export.rb or mark it as false positive.

post_timing.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_timing.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_timing.rb or mark it as false positive.

post_reply_key.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_reply_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_reply_key.rb or mark it as false positive.

tag_search_data.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/tag_search_data.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/tag_search_data.rb or mark it as false positive.

dismissed_topic_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/dismissed_topic_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/dismissed_topic_user.rb or mark it as false positive.

backup_draft_post.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/backup_draft_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/backup_draft_post.rb or mark it as false positive.

email_change_request.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/email_change_request.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/email_change_request.rb or mark it as false positive.

application_controller.rb
code Critical
Redirect
Discovered 4 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/application_controller.rb:546

redirect_to(Permalink.find_by_url(path).target_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

optimized_image.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/optimized_image.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

developer.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/developer.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/developer.rb or mark it as false positive.

static_controller.rb
code Critical
Dynamic Render Path
Discovered 4 months ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:78

render(action => (("static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.#{I18n.locale}" or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}.en") or "static/#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

muted_user.rb
code Critical
Attribute Restriction
Discovered 4 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/muted_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/muted_user.rb or mark it as false positive.