color_schemes_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/color_schemes_controller.rb:12

ColorScheme.create(color_scheme_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/color_schemes_controller.rb or mark it as false positive.

confirm_admin.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/users/confirm_admin.html.erb:14

t("activation.admin_confirm.complete", :target_username => AdminConfirmation.find_by_code(params[:token]).target_user.username)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/confirm_admin.html.erb or mark it as false positive.

reviewable_queued_post.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/reviewable_queued_post.rb:98

Notification.create!(:notification_type => Notification.types[:post_approved], :user_id => created_by.id, :data => ({}), :topic_id => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.topic_id, :post_number => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.post_number)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/reviewable_queued_post.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:38

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/email/unsubscribed.html.erb:6

t("unsubscribed.description", :email => Discourse.cache.read(params[:key]), :url => path("/my/preferences"))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:445

FileUtils.rm((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), :max_file_size => [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, :tmp_file_name => "discourse", :follow_redirect => true).path or FileStore::LocalStore.new.path_for(upload)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

topics_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/topics_controller.rb:311

SharedDraft.create(:topic_id => Topic.find_by(:id => params[:id]).id, :category_id => Category.where(:id => params[:category_id].to_i).first.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/topics_controller.rb or mark it as false positive.

themes_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/admin/themes_controller.rb:262

File.read(ThemeStore::ZipExporter.new(Theme.find_by(:id => params[:id])).package_filename)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/themes_controller.rb or mark it as false positive.

index.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/categories/index.html.erb:37

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/categories/index.html.erb or mark it as false positive.

session_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/session_controller.rb:447

User.find_by_username_or_email(normalized_login_param).email_tokens.create(:email => User.find_by_username_or_email(normalized_login_param).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

tag_user.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/tag_user.rb:100

TagUser.create(:user_id => user_id.id.to_i, :tag_id => (tag_id.id or (tag_id or Tag.find_by_id(tag_id)).target_tag_id).to_i, :notification_level => level)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/tag_user.rb or mark it as false positive.

static_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/static_controller.rb:255

send_file((File.expand_path((Rails.root + "public/assets/#{params[:path]}#{suffix}")) or File.expand_path("#{GlobalSetting.fallback_assets_path}/#{params[:path]}#{suffix}")), :disposition => nil, :type => "application/javascript")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

theme_field.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/theme_field.rb:14

where(:theme_id => theme_ids).joins("JOIN (\n          SELECT #{theme_ids.map.with_index do
 "#{id.to_i} AS theme_id, #{idx} AS theme_sort_column"
 end.join(" UNION ALL SELECT ")}\n        ) as X ON X.theme_id = theme_fields.theme_id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/theme_field.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1557

DB.build("    SELECT COUNT(*) as count, tt.created_at AS \"date\"\n    FROM (\n      SELECT t.id, t.created_at::date AS created_at, MIN(p.post_number) first_reply\n      FROM topics t\n      LEFT JOIN posts p ON p.topic_id = t.id AND p.user_id != t.user_id AND p.deleted_at IS NULL AND p.post_type = #{Post.types[:regular]}\n      /*where*/\n      GROUP BY t.id\n    ) tt\n    WHERE tt.first_reply IS NULL OR tt.first_reply < 2\n    GROUP BY tt.created_at\n    ORDER BY tt.created_at\n").where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

notifications_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/notifications_controller.rb:76

Notification.create!(notification_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/notifications_controller.rb or mark it as false positive.

optimized_image.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/optimized_image.rb:103

OptimizedImage.create!(:upload_id => upload.id, :sha1 => Upload.generate_digest(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :extension => (".#{(opts[:format] or upload.extension)}"), :width => width, :height => height, :url => "", :filesize => File.size(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :version => 2)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

remote_theme.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:43

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::ZipImporter.new(filename, original_filename))["name"])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:75

send_file(LetterAvatar.generate(params[:username].to_s, params[:size].to_i), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

report.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/report.rb:327

subject_class.where("#{query_column} >= ? and #{query_column} < ?", report.prev_start_date, report.prev_end_date)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/report.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:270

UserHistory.create!(:action => UserHistory.actions[:update_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

tag_groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/tag_groups_controller.rb:42

TagGroup.new(tag_groups_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

second_factor_manager.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:220

UserSecondFactor.create!(:user_id => self.id, :data => code.to_json, :enabled => true, :method => UserSecondFactor.methods[:backup_codes])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/groups_controller.rb:8

Group.new(group_params.to_h.except(:owner_usernames, :usernames))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/groups_controller.rb or mark it as false positive.

unsubscribe.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribe.html.erb:30

t("unsubscribe.mute_topic", :link => render_topic_title((UnsubscribeKey.find_by(:key => params[:key]).post.topic or UnsubscribeKey.find_by(:key => params[:key]).topic)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribe.html.erb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:604

User.new.attributes = user_params.except(:timezone)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:402

File.open((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), :max_file_size => [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, :tmp_file_name => "discourse", :follow_redirect => true).path or FileStore::LocalStore.new.path_for(upload)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1583

DB.build("    SELECT COUNT(*) as count\n    FROM (\n      SELECT t.id, MIN(p.post_number) first_reply\n      FROM topics t\n      LEFT JOIN posts p ON p.topic_id = t.id AND p.user_id != t.user_id AND p.deleted_at IS NULL AND p.post_type = #{Post.types[:regular]}\n      /*where*/\n      GROUP BY t.id\n    ) tt\n    WHERE tt.first_reply IS NULL OR tt.first_reply < 2\n").where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:7

fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).user_profile.bio_processed

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:338

UserHistory.create!(:details => ("title matching badge id #{UserBadge.find_by(:id => params[:user_badge_id]).badge.id}"), :previous_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :new_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:change_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

user.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user.rb:1222

UserAvatar.create!(:user_id => id, :custom_upload_id => SiteSetting.selectable_avatars.sample.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user.rb or mark it as false positive.