theme_field.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/theme_field.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/theme_field.rb or mark it as false positive.

post_stat.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_stat.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_stat.rb or mark it as false positive.

translation_override.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/translation_override.rb:5


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/translation_override.rb or mark it as false positive.

directory_item.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/directory_item.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/directory_item.rb or mark it as false positive.

post_custom_field.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_custom_field.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_custom_field.rb or mark it as false positive.

tags_controller.rb
code Critical
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/tags_controller.rb:374

redirect_to("#{Discourse.base_path}/tags#{Permalink.find_by_url("c/#{params[:category_slug_path_with_id]}").target_url}/#{params[:tag_id]}", :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/tags_controller.rb or mark it as false positive.

group_custom_field.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_custom_field.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_custom_field.rb or mark it as false positive.

reviewable_queued_post.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/reviewable_queued_post.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/reviewable_queued_post.rb or mark it as false positive.

show.html.erb
code Critical
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: High

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:27

Topic.find_by_id(SiteSetting.get(map[(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")][:topic_id])).posts.first.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

user.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

user_second_factor.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_second_factor.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_second_factor.rb or mark it as false positive.

badge_grouping.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/badge_grouping.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/badge_grouping.rb or mark it as false positive.

javascript_cache.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/javascript_cache.rb:2


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/javascript_cache.rb or mark it as false positive.

second_factor_manager.rb
code Critical
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:16

UserSecondFactor.create!({ :user_id => self.id, :method => UserSecondFactor.methods[:totp], :data => ROTP::Base32.random }.merge(opts))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

topic_link_click.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/topic_link_click.rb:6


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/topic_link_click.rb or mark it as false positive.

post_action.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_action.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

imap_sync_log.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/imap_sync_log.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/imap_sync_log.rb or mark it as false positive.

user_api_key.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_api_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_api_key.rb or mark it as false positive.

unsubscribe_key.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/unsubscribe_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/unsubscribe_key.rb or mark it as false positive.

users_controller.rb
code Critical
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:936

redirect_to(cookies.delete(:destination_url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

post_reply.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_reply.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_reply.rb or mark it as false positive.

user_profile.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_profile.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_profile.rb or mark it as false positive.

group_mention.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/group_mention.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/group_mention.rb or mark it as false positive.

post_timing.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_timing.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_timing.rb or mark it as false positive.

post_reply_key.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/post_reply_key.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/post_reply_key.rb or mark it as false positive.

tag_search_data.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/tag_search_data.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/tag_search_data.rb or mark it as false positive.

dismissed_topic_user.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/dismissed_topic_user.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/dismissed_topic_user.rb or mark it as false positive.

application_controller.rb
code Critical
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/application_controller.rb:546

redirect_to(Permalink.find_by_url(path).target_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

category.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/category.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/category.rb or mark it as false positive.

user_search_data.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_search_data.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_search_data.rb or mark it as false positive.