second_factor_manager.rb
code Critical
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:16

UserSecondFactor.create!({ :user_id => self.id, :method => UserSecondFactor.methods[:totp], :data => ROTP::Base32.random }.merge(opts))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

user_fields_controller.rb
code Critical
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/controllers/admin/user_fields_controller.rb:10

UserField.new(params.require(:user_field).permit(*Admin::UserFieldsController.columns))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/user_fields_controller.rb or mark it as false positive.

tag_groups_controller.rb
code Severe
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

Parameters should be whitelisted for mass assignment

Location

app/controllers/tag_groups_controller.rb:83

params.delete(:tag_group).permit!

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:901

User.human_users.find_by_username_or_email(params[:login]).email_tokens.create!(:email => User.human_users.find_by_username_or_email(params[:login]).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

color_schemes_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/color_schemes_controller.rb:12

ColorScheme.create(color_scheme_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/color_schemes_controller.rb or mark it as false positive.

session_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/session_controller.rb:447

User.find_by_username_or_email(normalized_login_param).email_tokens.create(:email => User.find_by_username_or_email(normalized_login_param).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

notifications_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/notifications_controller.rb:76

Notification.create!(notification_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/notifications_controller.rb or mark it as false positive.

tag_groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/tag_groups_controller.rb:42

TagGroup.new(tag_groups_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/groups_controller.rb:8

Group.new(group_params.to_h.except(:owner_usernames, :usernames))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/groups_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:604

User.new.attributes = user_params.except(:timezone)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

user.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user.rb:1222

UserAvatar.create!(:user_id => id, :custom_upload_id => SiteSetting.selectable_avatars.sample.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:870

User.with_email(params[:email]).admins.human_users.first.email_tokens.create(:email => User.with_email(params[:email]).admins.human_users.first.email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/groups_controller.rb:487

GroupRequest.create!(:group => find_group(:id), :user => current_user, :reason => params[:reason])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

remote_theme.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:84

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["name"], :component => [true, "true"].include?(RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["component"]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

user_api_keys_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/user_api_keys_controller.rb:74

UserApiKey.create!(:application_name => params[:application_name], :client_id => params[:client_id], :user_id => current_user.id, :push_url => params[:push_url], :scopes => (params[:scopes].split(",").map do
 UserApiKeyScope.new(:name => name)
 end))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/user_api_keys_controller.rb or mark it as false positive.

group.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/group.rb:626

Notification.create!(:notification_type => Notification.types[:membership_request_accepted], :user_id => user.id, :data => { :group_id => id, :group_name => name }.to_json)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

user_auth_token.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user_auth_token.rb:28

UserAuthTokenLog.create!(info)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user_auth_token.rb or mark it as false positive.

categories_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/categories_controller.rb:128

Category.new(required_create_params.merge(:user => current_user))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/categories_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:792

UserHistory.create!(:target_user => (@user), :acting_user => (@user), :action => UserHistory.actions[:change_password])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

api_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/api_controller.rb:62

ApiKey.new(update_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/users_controller.rb:309

User.find_by(:id => params[:user_id]).email_tokens.create(:email => User.find_by(:id => params[:user_id]).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/users_controller.rb or mark it as false positive.

web_hooks_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/web_hooks_controller.rb:36

WebHook.new(web_hook_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/web_hooks_controller.rb or mark it as false positive.

discourse_single_sign_on.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/discourse_single_sign_on.rb:240

User.create!(:primary_email => UserEmail.new(:email => email, :primary => true), :name => ((name.presence or User.suggest_name((username.presence or email)))), :username => UserNameSuggester.suggest((username.presence or (name.presence or email))), :ip_address => ip_address, :locale => locale)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/discourse_single_sign_on.rb or mark it as false positive.

topic_embed.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_embed.rb:73

TopicEmbed.create!(:topic_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.topic_id, :embed_url => normalize_url(url), :content_sha1 => Digest::SHA1.hexdigest((+"" << imported_from_html(url))), :post_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_embed.rb or mark it as false positive.

topics_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/topics_controller.rb:311

SharedDraft.create(:topic_id => Topic.find_by(:id => params[:id]).id, :category_id => Category.where(:id => params[:category_id].to_i).first.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/topics_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:270

UserHistory.create!(:action => UserHistory.actions[:update_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

second_factor_manager.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:220

UserSecondFactor.create!(:user_id => self.id, :data => code.to_json, :enabled => true, :method => UserSecondFactor.methods[:backup_codes])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

invite.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/invite.rb:147

Invite.create!({}.slice(:email, :moderator, :custom_message, :max_redemptions_allowed))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/invite.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:300

UserHistory.create(:action => UserHistory.actions[:destroy_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

screened_ip_addresses_controller.rb
code Moderate
Mass Assignment
Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/screened_ip_addresses_controller.rb:26

ScreenedIpAddress.new(allowed_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/screened_ip_addresses_controller.rb or mark it as false positive.