badges_controller.rb
code Critical
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/admin/badges_controller.rb:61

File.open(params.permit(:file).fetch(:file, nil))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/badges_controller.rb or mark it as false positive.

themes_controller.rb
code Critical
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/admin/themes_controller.rb:23

File.open(params[:file].path)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/themes_controller.rb or mark it as false positive.

theme_javascripts_controller.rb
code Critical
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: High

Problem

Parameter value used in file name

Location

app/controllers/theme_javascripts_controller.rb:34

send_file("#{"#{Rails.root}/tmp/javascript-cache"}/#{params[:digest]}.js", :disposition => :inline)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/theme_javascripts_controller.rb or mark it as false positive.

static_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/static_controller.rb:255

send_file((File.expand_path((Rails.root + "public/assets/#{params[:path]}#{suffix}")) or File.expand_path("#{GlobalSetting.fallback_assets_path}/#{params[:path]}#{suffix}")), :disposition => nil, :type => "application/javascript")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

themes_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/admin/themes_controller.rb:262

File.read(ThemeStore::ZipExporter.new(Theme.find_by(:id => params[:id])).package_filename)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/themes_controller.rb or mark it as false positive.

backups_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/admin/backups_controller.rb:88

send_file(BackupRestore::BackupStore.create.file(params.fetch(:id), :include_download_source => true).source)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/backups_controller.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:75

send_file(LetterAvatar.generate(params[:username].to_s, params[:size].to_i), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:402

File.open((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), :max_file_size => [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, :tmp_file_name => "discourse", :follow_redirect => true).path or FileStore::LocalStore.new.path_for(upload)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:137

send_file(Discourse.store.path_for(get_optimized_image((Upload.find_by(:id => upload_id.to_i) or User.find_by(:username_lower => params[:username].to_s.downcase).uploaded_avatar), params[:size].to_i)), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered 6 months ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:445

FileUtils.rm((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), :max_file_size => [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, :tmp_file_name => "discourse", :follow_redirect => true).path or FileStore::LocalStore.new.path_for(upload)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.