user_notification_schedule.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/user_notification_schedule.rb:3


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/user_notification_schedule.rb or mark it as false positive.

theme.rb
code Critical
Attribute Restriction
Discovered 6 months ago
Source: static code analysis
Category: Attribute Restriction
Confidence level: High

Problem

Mass assignment is not restricted using attr_accessible

Location

app/models/theme.rb:7


Category description: This warning comes up if a model does not limit what attributes can be set through mass assignment.

Solution: fix the issue in app/models/theme.rb or mark it as false positive.

upload.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/upload.rb:356

Upload.by_users.where("url NOT LIKE '%/original/_X/%' AND url LIKE '%/uploads/#{RailsMultisite::ConnectionManagement.current_db}%'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:235

Topic.where(:id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).update_all(["#{"#{post_action_type_key}_count"} = ?", Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).sum("#{post_action_type_key}_count")])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

list_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/list_controller.rb:432

TopTopic.where("#{period}_score > 0")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/list_controller.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:216

1.joins(:user).where(:post_id => post_id).sum("CASE WHEN users.moderator OR users.admin THEN #{SiteSetting.staff_like_weight} ELSE 1 END")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

user_search.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_search.rb:173

User.joins("JOIN (SELECT unnest uid, row_number() OVER () AS rn\n      FROM unnest('{#{search_ids.join(",")}}'::int[])\n    ) x on uid = users.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

group_history.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group_history.rb:44

self.includes(:acting_user, :target_user).where(:group_id => group.id).order("group_histories.created_at DESC").where(:action => self.actions[params.slice(*filters)[:action].to_sym]).where(:subject => params.slice(*filters)[:subject]).where("#{filter}_id" => User.where(:username_lower => params.slice(*filters)[filter]).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group_history.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:234

Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).sum("#{post_action_type_key}_count")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

tag_groups_controller.rb
code Severe
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

Parameters should be whitelisted for mass assignment

Location

app/controllers/tag_groups_controller.rb:83

params.delete(:tag_group).permit!

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

reviewable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/reviewable.rb:483

by_status(viewable_by(user, :order => (((("reviewables.score ASC, reviewables.created_at DESC" or "reviewables.created_at DESC, reviewables.score DESC") or "reviewables.created_at ASC, reviewables.score DESC") or "reviewables.score DESC, reviewables.created_at DESC"))), status).where(:id => ids).where("reviewables.type = ?", type).where("reviewables.category_id = ?", category_id).where("reviewables.topic_id = ?", topic_id).where("reviewables.created_at >= ?", from_date).where("reviewables.created_at <= ?", to_date).joins("        INNER JOIN(\n          SELECT reviewable_id\n          FROM reviewable_histories\n          WHERE reviewable_history_type = #{ReviewableHistory.types[:transitioned]} AND\n          status <> #{Reviewable.statuses[:pending]} AND created_by_id = #{User.find_by_username(reviewed_by).id}\n) AS rh ON rh.reviewable_id = reviewables.id\n")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/reviewable.rb or mark it as false positive.

show.html.erb
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unescaped model attribute

Location

app/views/published_pages/show.html.erb:25

PublishedPage.find_by(:slug => params[:slug]).topic.first_post.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/published_pages/show.html.erb or mark it as false positive.

upload.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/upload.rb:430

Post.with_deleted.where("raw ~ '/uploads/#{RailsMultisite::ConnectionManagement.current_db}/\\d+/' OR raw ~ '/uploads/#{RailsMultisite::ConnectionManagement.current_db}/original/(\\d|[a-z])/'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

embed.html.erb
code Severe
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Medium

Problem

Unescaped model attribute

Location

app/views/layouts/embed.html.erb:2

EmbeddableHost.record_for_url(request.referer).class_name

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/layouts/embed.html.erb or mark it as false positive.

application_controller.rb
code Severe
Cross-Site Request Forgery
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Request Forgery
Confidence level: Medium

Problem

protect_from_forgery should be configured with 'with: :exception'

Location

app/controllers/application_controller.rb


Category description: Failure to verify that the sender of a web request actually intended to do so.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

user_history.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_history.rb:227

self.where(:action => filters[:action_id]).where(:custom_type => filters[:custom_type]).where("#{key}_id = ?", User.where(:username_lower => filters[key].downcase).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_history.rb or mark it as false positive.

user.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user.rb:242

joins(DB.sql_fragment("LEFT JOIN category_users ON category_users.user_id = users.id AND category_users.category_id = :category_id", :category_id => topic.category_id)).joins(DB.sql_fragment("LEFT JOIN topic_users ON topic_users.user_id = users.id AND topic_users.topic_id = :topic_id", :topic_id => topic.id)).joins("LEFT JOIN tag_users ON tag_users.user_id = users.id AND tag_users.tag_id IN (#{(topic.tag_ids.join(",").presence or "NULL")})")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

groups_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/groups_controller.rb:296

find_group(:group_id).users.human_users.filter_by_username_or_email(params[:filter].split(",")).filter_by_username(params[:filter].split(",")).joins(:user_option).select("users.*, user_options.timezone, group_users.created_at as added_at").order((("" or "group_users.created_at #{(("ASC" or "DESC") or ("DESC" or "ASC"))}") or "#{params[:order]} #{(("ASC" or "DESC") or ("DESC" or "ASC"))} NULLS LAST"))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:610

Topic.visible.listable_topics.secured(Guardian.new(user)).joins("JOIN topic_search_data s ON topics.id = s.topic_id").joins("LEFT JOIN categories c ON topics.id = c.topic_id").where("search_data @@ #{Search.to_tsquery(:term => ((Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A") or "#{Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A")} & #{Search.set_tsquery_weight_filter((SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)).present? and Search.prepare_data(SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)))), "B")}")), :joiner => "|")}").where("c.topic_id IS NULL").order("ts_rank(search_data, #{Search.to_tsquery(:term => ((Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A") or "#{Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A")} & #{Search.set_tsquery_weight_filter((SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)).present? and Search.prepare_data(SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)))), "B")}")), :joiner => "|")}) DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:220

Post.where(:id => post_id).update_all(["#{"#{post_action_type_key}_count"} = ?", 1.where(:post_id => post_id).where(:post_action_type_id => post_action_type_id).count])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

notification.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/notification.rb:161

where("created_at > ?", min_date).includes(:topic).visible.unread.limit(20).order("CASE WHEN notification_type = #{Notification.types[:replied]} THEN 1\n                           WHEN notification_type = #{Notification.types[:mentioned]} THEN 2\n                           ELSE 3\n                      END, created_at DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/notification.rb or mark it as false positive.

topic_user.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic_user.rb:210

Group.joins("LEFT OUTER JOIN group_users gu ON gu.group_id = groups.id AND gu.user_id = #{user_id}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:303

where("topics.category_id IS NULL OR topics.category_id IN (SELECT id FROM categories WHERE #{(["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[0]})", (["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[1])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

groups_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/groups_controller.rb:289

find_group(:group_id).users.human_users.filter_by_username_or_email(params[:filter].split(",")).filter_by_username(params[:filter].split(",")).joins(:user_option).select("users.*, user_options.timezone, group_users.created_at as added_at").order("NOT group_users.owner").order((("" or "group_users.created_at #{(("ASC" or "DESC") or ("DESC" or "ASC"))}") or "#{params[:order]} #{(("ASC" or "DESC") or ("DESC" or "ASC"))} NULLS LAST"))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

posts_controller.rb
code Moderate
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/posts_controller.rb:162

redirect_to(path(Post.find(params[:post_id].to_i).url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/posts_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:983

redirect_to(((session_sso_provider_url + "?") + cookies.delete(:sso_payload)))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:901

User.human_users.find_by_username_or_email(params[:login]).email_tokens.create!(:email => User.human_users.find_by_username_or_email(params[:login]).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

has_custom_fields.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/concerns/has_custom_fields.rb:125

"#{name}CustomField".constantize.where("#{(name.underscore << "_id")} in (?)", { obj.id => obj }.keys).where("name in (?)", fields).pluck((name.underscore << "_id"), :name, :value)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/has_custom_fields.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:137

crawlable_meta_data(:title => TopicView.new(params[:topic_id]).title, :description => TopicView.new(params[:topic_id]).summary(:strip_images => true), :image => TopicView.new(params[:topic_id]).image_url, :read_time => TopicView.new(params[:topic_id]).read_time, :like_count => TopicView.new(params[:topic_id]).like_count, :ignore_canonical => true, :published_time => TopicView.new(params[:topic_id]).published_time)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/static/show.html.erb:34

crawlable_meta_data(:title => (("#{(I18n.t("js.#{(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")}") or Topic.find_by_id(SiteSetting.get(map[(params[:id] or "faq").gsub(/[^a-z0-9\_\-]/, "")][:topic_id])).title)} - #{SiteSetting.title}" or ("#{SiteSetting.title} - #{SiteSetting.short_site_description}" or SiteSetting.title))), :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.