directory_items_controller.rb
code Critical
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: High

Problem

Possible SQL injection

Location

app/controllers/directory_items_controller.rb:32

DirectoryItem.where(:period_type => DirectoryItem.period_types[params.require(:period).to_sym]).includes(:user).includes(:user => :groups).where(:users => ({ :groups => ({ :id => Group.find_by(:name => params[:group]).id }) })).includes(:user => :primary_group).references(:user).where.not(:users => ({ :username => params[:exclude_usernames].split(",") })).order("directory_items.#{(params[:order] or DirectoryItem.headings.first)} #{("ASC" or "DESC")}, directory_items.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/directory_items_controller.rb or mark it as false positive.

directory_items_controller.rb
code Critical
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: High

Problem

Possible SQL injection

Location

app/controllers/directory_items_controller.rb:34

DirectoryItem.where(:period_type => DirectoryItem.period_types[params.require(:period).to_sym]).includes(:user).includes(:user => :groups).where(:users => ({ :groups => ({ :id => Group.find_by(:name => params[:group]).id }) })).includes(:user => :primary_group).references(:user).where.not(:users => ({ :username => params[:exclude_usernames].split(",") })).order("directory_items.#{(params[:order] or DirectoryItem.headings.first)} #{("ASC" or "DESC")}, directory_items.id").order("users.#{(params[:order] or DirectoryItem.headings.first)} #{("ASC" or "DESC")}, directory_items.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/directory_items_controller.rb or mark it as false positive.

email_controller.rb
code Critical
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: High

Problem

Possible SQL injection

Location

app/controllers/admin/email_controller.rb:54

PostReplyKey.where("(post_id,user_id) IN (#{(["(?)"] * (filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params) or (filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params).where("post_reply_keys.reply_key = ?", params[:reply_key]) or filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params).where("replace(post_reply_keys.reply_key::VARCHAR, '-', '') ILIKE ?", "%#{params[:reply_key]}%"))).to_a.map do
 [email_log.post_id, email_log.user_id]
 end.size).join(", ")})", *(filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params) or (filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params).where("post_reply_keys.reply_key = ?", params[:reply_key]) or filter_logs(EmailLog.joins("LEFT JOIN post_reply_keys\nON post_reply_keys.post_id = email_logs.post_id\nAND post_reply_keys.user_id = email_logs.user_id\n"), params).where("replace(post_reply_keys.reply_key::VARCHAR, '-', '') ILIKE ?", "%#{params[:reply_key]}%"))).to_a.map do
 [email_log.post_id, email_log.user_id]
 end)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/admin/email_controller.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:216

1.joins(:user).where(:post_id => post_id).sum("CASE WHEN users.moderator OR users.admin THEN #{SiteSetting.staff_like_weight} ELSE 1 END")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

upload.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/upload.rb:430

Post.with_deleted.where("raw ~ '/uploads/#{RailsMultisite::ConnectionManagement.current_db}/\\d+/' OR raw ~ '/uploads/#{RailsMultisite::ConnectionManagement.current_db}/original/(\\d|[a-z])/'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

notification.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/notification.rb:161

where("created_at > ?", min_date).includes(:topic).visible.unread.limit(20).order("CASE WHEN notification_type = #{Notification.types[:replied]} THEN 1\n                           WHEN notification_type = #{Notification.types[:mentioned]} THEN 2\n                           ELSE 3\n                      END, created_at DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/notification.rb or mark it as false positive.

group_history.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group_history.rb:44

self.includes(:acting_user, :target_user).where(:group_id => group.id).order("group_histories.created_at DESC").where(:action => self.actions[params.slice(*filters)[:action].to_sym]).where(:subject => params.slice(*filters)[:subject]).where("#{filter}_id" => User.where(:username_lower => params.slice(*filters)[filter]).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group_history.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:220

Post.where(:id => post_id).update_all(["#{"#{post_action_type_key}_count"} = ?", 1.where(:post_id => post_id).where(:post_action_type_id => post_action_type_id).count])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:610

Topic.visible.listable_topics.secured(Guardian.new(user)).joins("JOIN topic_search_data s ON topics.id = s.topic_id").joins("LEFT JOIN categories c ON topics.id = c.topic_id").where("search_data @@ #{Search.to_tsquery(:term => ((Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A") or "#{Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A")} & #{Search.set_tsquery_weight_filter((SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)).present? and Search.prepare_data(SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)))), "B")}")), :joiner => "|")}").where("c.topic_id IS NULL").order("ts_rank(search_data, #{Search.to_tsquery(:term => ((Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A") or "#{Search.set_tsquery_weight_filter(Search.prepare_data(title.strip), "A")} & #{Search.set_tsquery_weight_filter((SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)).present? and Search.prepare_data(SearchIndexer::HtmlScrubber.scrub(PrettyText.cook((raw.presence or "")[(0...200)].strip)))), "B")}")), :joiner => "|")}) DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

upload.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/upload.rb:356

Upload.by_users.where("url NOT LIKE '%/original/_X/%' AND url LIKE '%/uploads/#{RailsMultisite::ConnectionManagement.current_db}%'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

topic_user.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic_user.rb:210

Group.joins("LEFT OUTER JOIN group_users gu ON gu.group_id = groups.id AND gu.user_id = #{user_id}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

user_history.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_history.rb:227

self.where(:action => filters[:action_id]).where(:custom_type => filters[:custom_type]).where("#{key}_id = ?", User.where(:username_lower => filters[key].downcase).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_history.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:235

Topic.where(:id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).update_all(["#{"#{post_action_type_key}_count"} = ?", Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).sum("#{post_action_type_key}_count")])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

user_search.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_search.rb:173

User.joins("JOIN (SELECT unnest uid, row_number() OVER () AS rn\n      FROM unnest('{#{search_ids.join(",")}}'::int[])\n    ) x on uid = users.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:234

Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck_first(:topic_id)).sum("#{post_action_type_key}_count")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:303

where("topics.category_id IS NULL OR topics.category_id IN (SELECT id FROM categories WHERE #{(["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[0]})", (["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[1])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

user.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user.rb:242

joins(DB.sql_fragment("LEFT JOIN category_users ON category_users.user_id = users.id AND category_users.category_id = :category_id", :category_id => topic.category_id)).joins(DB.sql_fragment("LEFT JOIN topic_users ON topic_users.user_id = users.id AND topic_users.topic_id = :topic_id", :topic_id => topic.id)).joins("LEFT JOIN tag_users ON tag_users.user_id = users.id AND tag_users.tag_id IN (#{(topic.tag_ids.join(",").presence or "NULL")})")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

groups_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/groups_controller.rb:296

find_group(:group_id).users.human_users.filter_by_username_or_email(params[:filter].split(",")).filter_by_username(params[:filter].split(",")).joins(:user_option).select("users.*, user_options.timezone, group_users.created_at as added_at").order((("" or "group_users.created_at #{(("ASC" or "DESC") or ("DESC" or "ASC"))}") or "#{params[:order]} #{(("ASC" or "DESC") or ("DESC" or "ASC"))} NULLS LAST"))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

reviewable.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/reviewable.rb:483

by_status(viewable_by(user, :order => (((("reviewables.score ASC, reviewables.created_at DESC" or "reviewables.created_at DESC, reviewables.score DESC") or "reviewables.created_at ASC, reviewables.score DESC") or "reviewables.score DESC, reviewables.created_at DESC"))), status).where(:id => ids).where("reviewables.type = ?", type).where("reviewables.category_id = ?", category_id).where("reviewables.topic_id = ?", topic_id).where("reviewables.created_at >= ?", from_date).where("reviewables.created_at <= ?", to_date).joins("        INNER JOIN(\n          SELECT reviewable_id\n          FROM reviewable_histories\n          WHERE reviewable_history_type = #{ReviewableHistory.types[:transitioned]} AND\n          status <> #{Reviewable.statuses[:pending]} AND created_by_id = #{User.find_by_username(reviewed_by).id}\n) AS rh ON rh.reviewable_id = reviewables.id\n")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/reviewable.rb or mark it as false positive.

list_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/list_controller.rb:432

TopTopic.where("#{period}_score > 0")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/list_controller.rb or mark it as false positive.

groups_controller.rb
code Severe
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/controllers/groups_controller.rb:289

find_group(:group_id).users.human_users.filter_by_username_or_email(params[:filter].split(",")).filter_by_username(params[:filter].split(",")).joins(:user_option).select("users.*, user_options.timezone, group_users.created_at as added_at").order("NOT group_users.owner").order((("" or "group_users.created_at #{(("ASC" or "DESC") or ("DESC" or "ASC"))}") or "#{params[:order]} #{(("ASC" or "DESC") or ("DESC" or "ASC"))} NULLS LAST"))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

report.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/report.rb:327

subject_class.where("#{query_column} >= ? and #{query_column} < ?", report.prev_start_date, report.prev_end_date)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/report.rb or mark it as false positive.

has_custom_fields.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/concerns/has_custom_fields.rb:125

"#{name}CustomField".constantize.where("#{(name.underscore << "_id")} in (?)", { obj.id => obj }.keys).where("name in (?)", fields).pluck((name.underscore << "_id"), :name, :value)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/concerns/has_custom_fields.rb or mark it as false positive.

report.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/report.rb:340

subject_class.where("#{query_column} >= ? and #{query_column} < ?", (report.start_date - 30.days), report.start_date)

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/report.rb or mark it as false positive.

user_search.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/user_search.rb:57

scoped_users.includes(:user_search_data).where("user_search_data.search_data @@ #{Search.ts_query(:term => (@term), :ts_config => "simple")}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1512

DB.build(sql).where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

theme_field.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/theme_field.rb:14

where(:theme_id => theme_ids).joins("JOIN (\n          SELECT #{theme_ids.map.with_index do
 "#{id.to_i} AS theme_id, #{idx} AS theme_sort_column"
 end.join(" UNION ALL SELECT ")}\n        ) as X ON X.theme_id = theme_fields.theme_id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/theme_field.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1557

DB.build("    SELECT COUNT(*) as count, tt.created_at AS \"date\"\n    FROM (\n      SELECT t.id, t.created_at::date AS created_at, MIN(p.post_number) first_reply\n      FROM topics t\n      LEFT JOIN posts p ON p.topic_id = t.id AND p.user_id != t.user_id AND p.deleted_at IS NULL AND p.post_type = #{Post.types[:regular]}\n      /*where*/\n      GROUP BY t.id\n    ) tt\n    WHERE tt.first_reply IS NULL OR tt.first_reply < 2\n    GROUP BY tt.created_at\n    ORDER BY tt.created_at\n").where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

topic.rb
code Moderate
SQL Injection
Discovered 6 months ago
Source: static code analysis
Category: SQL Injection
Confidence level: Weak

Problem

Possible SQL injection

Location

app/models/topic.rb:1583

DB.build("    SELECT COUNT(*) as count\n    FROM (\n      SELECT t.id, MIN(p.post_number) first_reply\n      FROM topics t\n      LEFT JOIN posts p ON p.topic_id = t.id AND p.user_id != t.user_id AND p.deleted_at IS NULL AND p.post_type = #{Post.types[:regular]}\n      /*where*/\n      GROUP BY t.id\n    ) tt\n    WHERE tt.first_reply IS NULL OR tt.first_reply < 2\n").where("t.archetype <> '#{Archetype.private_message}'")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.