We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

static_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/static_controller.rb:187

send_file(File.expand_path(((Rails.root + "public/assets/") + params[:path])), :disposition => nil, :type => "application/javascript")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

show.html.erb
code Moderate
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: Weak

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:27

crawlable_meta_data(:title => Topic.find_by_id(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[(params[:id] or "faq")][:topic_id])).title, :description => SiteSetting.site_description)

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.