emojis_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/emojis_controller.rb:30

CustomEmoji.new(:name => (params[:name] or File.basename((params[:file] or params[:files].first).original_filename, ".*")).gsub(/[^a-z0-9]+/i, "_").gsub(/_{2,}/, "_").downcase, :upload => UploadCreator.new((params[:file] or params[:files].first).tempfile, (params[:file] or params[:files].first).original_filename, :type => "custom_emoji").create_for(current_user.id), :group => ((params[:group].downcase or nil)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/emojis_controller.rb or mark it as false positive.

backups_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/admin/backups_controller.rb:88

send_file(BackupRestore::BackupStore.create.file(params.fetch(:id), :include_download_source => true).source)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/backups_controller.rb or mark it as false positive.

unsubscribed.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/email/unsubscribed.html.erb:10

t("unsubscribed.topic_description", :link => render_topic_title(Topic.find_by(:id => params[:topic_id].to_i)))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/email/unsubscribed.html.erb or mark it as false positive.

invite.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/invite.rb:147

Invite.create!({}.slice(:email, :moderator, :custom_message, :max_redemptions_allowed))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/invite.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:870

User.with_email(params[:email]).admins.human_users.first.email_tokens.create(:email => User.with_email(params[:email]).admins.human_users.first.email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/groups_controller.rb:487

GroupRequest.create!(:group => find_group(:id), :user => current_user, :reason => params[:reason])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/badges/show.html.erb:2

crawlable_meta_data(:title => I18n.t("badges.badge_title_metadata", :display_name => @badge.display_name, :site_title => SiteSetting.title), :description => @badge.long_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/badges/show.html.erb or mark it as false positive.

remote_theme.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:84

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["name"], :component => [true, "true"].include?(RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["component"]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped parameter value

Location

app/views/topics/show.html.erb:58

t("js.action_codes.#{post.action_code}", :when => "", :who => (((TopicView.new(params[:topic_id]).post_custom_fields[post.id] or {})["action_code_who"] or "")))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/topics/show.html.erb or mark it as false positive.

login.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/login.html.erb:3

PrettyText.cook(I18n.t("login_required.#{if SiteSetting.invite_only? then
  "welcome_message_invite_only"
else
  "welcome_message"
end}", :title => SiteSetting.title))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/login.html.erb or mark it as false positive.

user_api_keys_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/user_api_keys_controller.rb:74

UserApiKey.create!(:application_name => params[:application_name], :client_id => params[:client_id], :user_id => current_user.id, :push_url => params[:push_url], :scopes => (params[:scopes].split(",").map do
 UserApiKeyScope.new(:name => name)
 end))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/user_api_keys_controller.rb or mark it as false positive.

group.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/group.rb:626

Notification.create!(:notification_type => Notification.types[:membership_request_accepted], :user_id => user.id, :data => { :group_id => id, :group_name => name }.to_json)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

post_mover.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/post_mover.rb:46

Topic.create!(:user => Post.find_by(:id => post_ids.first).user, :title => title, :category_id => category_id, :created_at => Post.find_by(:id => post_ids.first).created_at, :archetype => ((Archetype.private_message or Archetype.default)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/post_mover.rb or mark it as false positive.

topic_user.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_user.rb:231

TopicUser.create!(attrs.merge!(:user_id => user_id, :topic_id => topic_id, :first_visited_at => DateTime.now, :last_visited_at => DateTime.now))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

permalinks_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/permalinks_controller.rb:23

Permalink.new(:url => params[:url], "tag_id" => Tag.find_by_name(params[:permalink_type_value]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/permalinks_controller.rb or mark it as false positive.

user_search.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/user_search.rb:57

scoped_users.includes(:user_search_data).where("user_search_data.search_data @@ #{Search.ts_query(:term => (@term), :ts_config => "simple")}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

list.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/list/list.erb:154

crawlable_meta_data(:title => SiteSetting.title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/list/list.erb or mark it as false positive.

report.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/report.rb:340

subject_class.where("#{query_column} >= ? and #{query_column} < ?", (report.start_date - 30.days), report.start_date)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/report.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:300

UserHistory.create(:action => UserHistory.actions[:destroy_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

user_auth_token.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user_auth_token.rb:28

UserAuthTokenLog.create!(info)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user_auth_token.rb or mark it as false positive.

categories_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/categories_controller.rb:128

Category.new(required_create_params.merge(:user => current_user))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/categories_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:934

redirect_to(((session_sso_provider_url + "?") + cookies.delete(:sso_payload)))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

svg_sprite_controller.rb
code Moderate
Redirect
Discovered 6 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/svg_sprite_controller.rb:18

redirect_to(path(SvgSprite.path(params[:theme_ids].split(",").map(&:to_i))))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/svg_sprite_controller.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:14

crawlable_meta_data(:title => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).username, :description => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).user_profile.bio_summary, :image => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).small_avatar_url)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:792

UserHistory.create!(:target_user => (@user), :acting_user => (@user), :action => UserHistory.actions[:change_password])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

screened_ip_addresses_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/screened_ip_addresses_controller.rb:26

ScreenedIpAddress.new(allowed_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/screened_ip_addresses_controller.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1512

DB.build(sql).where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/users/show.html.erb:12

crawlable_meta_data(:title => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).username, :image => fetch_user_from_params(:include_inactive => ((current_user.staff? or (current_user and SiteSetting.show_inactive_accounts)))).small_avatar_url)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/users/show.html.erb or mark it as false positive.

api_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/api_controller.rb:62

ApiKey.new(update_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.

list.erb
code Moderate
Cross-Site Scripting
Discovered 6 months ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/list/list.erb:150

crawlable_meta_data(:title => ("#{@category.name} - #{SiteSetting.title}"), :description => (@description_meta))

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/list/list.erb or mark it as false positive.