backups_controller.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/controllers/admin/backups_controller.rb:52

send_file(Backup[params.fetch(:id)].path)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/backups_controller.rb or mark it as false positive.

export_csv_controller.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/controllers/export_csv_controller.rb:21

send_file(UserExport.get_download_path(params.fetch(:id)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/export_csv_controller.rb or mark it as false positive.

emoji.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/models/emoji.rb:72

File.open("#{Emoji.base_directory}/#{name}#{File.extname(file.original_filename)}", "wb")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/emoji.rb or mark it as false positive.

user_export.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/models/user_export.rb:13

File.delete("#{UserExport.base_directory}/#{"#{expired_export.file_name}-#{expired_export.id}.csv.gz"}")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/user_export.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:263

FileUtils.rm(((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(upload)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

uploads_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:81

File.open("#{File.dirname((FileHelper.download(url, [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse-upload-#{type}") rescue nil or file.tempfile).path)}/blob.jpg")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:44

send_file(LetterAvatar.generate(params[:letter].to_s, params[:size].to_i, :identity => LetterAvatar::Identity.new), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

optimized_image.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/optimized_image.rb:202

FileUtils.rm(((FileHelper.download(((SiteSetting.scheme + ":") + optimized_image.url.dup), SiteSetting.max_image_size_kb.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(optimized_image)), :force => true)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

uploads_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:83

File.delete("#{File.dirname((FileHelper.download(url, [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse-upload-#{type}") rescue nil or file.tempfile).path)}/blob.jpg")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

optimized_image.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/optimized_image.rb:193

File.open(((FileHelper.download(((SiteSetting.scheme + ":") + optimized_image.url.dup), SiteSetting.max_image_size_kb.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(optimized_image)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

emoji.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/emoji.rb:71

FileUtils.mkdir_p(Pathname.new("#{Emoji.base_directory}/#{name}#{File.extname(file.original_filename)}").dirname)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/emoji.rb or mark it as false positive.

upload.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/models/upload.rb:253

File.open(((FileHelper.download(((SiteSetting.scheme + ":") + upload.url.dup), [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse", true) rescue nil).path or FileStore::LocalStore.new.path_for(upload)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/upload.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:116

send_file(Discourse.store.path_for(get_optimized_image((Upload.find_by(:id => upload_id.to_i) or User.find_by(:username_lower => params[:username].to_s.downcase).uploaded_avatar), params[:size].to_i)), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

uploads_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Model attribute used in file name

Location

app/controllers/uploads_controller.rb:41

send_file(Discourse.store.path_for((Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"]))), :filename => (Upload.find_by(:sha1 => params[:sha]) or Upload.find_by(:id => params[:id], :url => request.env["PATH_INFO"])).original_filename, :disposition => "inline")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

user_avatars_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/user_avatars_controller.rb:61

send_file(LetterAvatar.generate(params[:username].to_s, params[:size].to_i), :disposition => nil)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/user_avatars_controller.rb or mark it as false positive.

static_controller.rb
code Moderate
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Weak

Problem

Parameter value used in file name

Location

app/controllers/static_controller.rb:156

send_file(File.expand_path(((Rails.root + "public/assets/") + params[:path])), :disposition => nil, :type => "application/javascript")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.