users_controller.rb
code Critical
Dangerous Send
Discovered almost 5 years ago
Source: static code analysis
Category: Dangerous Send
Confidence level: High

Problem

User controlled method execution

Location

app/controllers/admin/users_controller.rb:156

Promotion.send("tl#{(params[:level].to_i + 1)}_met?", User.find_by(:id => params[:user_id]))

Category description: Using unfiltered user data to select a Class or Method to be dynamically sent is dangerous.

Solution: fix the issue in app/controllers/admin/users_controller.rb or mark it as false positive.

permalinks_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/permalinks_controller.rb:14

redirect_to(Permalink.find_by_url(request.fullpath).target_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/permalinks_controller.rb or mark it as false positive.

show.html.erb
code Critical
Cross-Site Scripting
Discovered almost 5 years ago
Source: static code analysis
Category: Cross-Site Scripting
Confidence level: High

Problem

Unescaped model attribute

Location

app/views/static/show.html.erb:20

Topic.find_by_id(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[(params[:id] or "faq")][:topic_id])).posts.first.cooked

Category description: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.

Solution: fix the issue in app/views/static/show.html.erb or mark it as false positive.

tags_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/tags_controller.rb:313

redirect_to("#{Discourse.base_uri}/tags#{Permalink.find_by_url(("c/#{params[:parent_category]}/#{params[:category]}" or "c/#{params[:category]}")).target_url}/#{params[:tag_id]}", :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/tags_controller.rb or mark it as false positive.

clicks_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/clicks_controller.rb:20

redirect_to(TopicLinkClick.create_from(track_params.merge(:ip => request.remote_ip)))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/clicks_controller.rb or mark it as false positive.

user_profile.rb
code Critical
Format Validation
Discovered almost 5 years ago
Source: static code analysis
Category: Format Validation
Confidence level: High

Problem

Insufficient validation for 'website' using /(^$)|(^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,10}(([0-9]{1,5})?\/.*)?$)/ix. Use \A and \z as anchors

Location

app/models/user_profile.rb:7


Category description: Using ^ and $ in validates_format_of is not sufficient, as they will only match up a new line. Use \A and \z instead.

Solution: fix the issue in app/models/user_profile.rb or mark it as false positive.

uploads_controller.rb
code Critical
Command Injection
Discovered almost 5 years ago
Source: static code analysis
Category: Command Injection
Confidence level: High

Problem

Possible command injection

Location

app/controllers/uploads_controller.rb:76

`convert #{(FileHelper.download(url, [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse-upload-#{type}") rescue nil or file.tempfile).path} -quality #{SiteSetting.convert_pasted_images_quality} #{"#{File.dirname((FileHelper.download(url, [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes, "discourse-upload-#{type}") rescue nil or file.tempfile).path)}/blob.jpg"}`

Category description: Command injection occurs when shell commands unsafely include user-manipulatable values.

Solution: fix the issue in app/controllers/uploads_controller.rb or mark it as false positive.

posts_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/posts_controller.rb:131

redirect_to(Post.find(params[:post_id].to_i).url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/posts_controller.rb or mark it as false positive.

application_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/application_controller.rb:339

redirect_to(Permalink.find_by_url(request.fullpath).external_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

screened_ip_addresses_controller.rb
code Critical
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: High

Problem

Possible SQL injection

Location

app/controllers/admin/screened_ip_addresses_controller.rb:12

ScreenedIpAddress.where("cidr '#{IPAddr.handle_wildcards(params[:filter])}' >>= ip_address")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/admin/screened_ip_addresses_controller.rb or mark it as false positive.

static_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/static_controller.rb:25

redirect_to(SiteSetting.send({ "faq" => ({ :redirect => "faq_url", :topic_id => "guidelines_topic_id" }), "tos" => ({ :redirect => "tos_url", :topic_id => "tos_topic_id" }), "privacy" => ({ :redirect => "privacy_policy_url", :topic_id => "privacy_topic_id" }) }[params[:id]][:redirect]))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

list_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/list_controller.rb:270

redirect_to(Category.find_by_id(params[:id].to_i).url, :status => 301)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/list_controller.rb or mark it as false positive.

directory_items_controller.rb
code Critical
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: High

Problem

Possible SQL injection

Location

app/controllers/directory_items_controller.rb:16

DirectoryItem.where(:period_type => DirectoryItem.period_types[params.require(:period).to_sym]).includes(:user).order("directory_items.#{(params[:order] or DirectoryItem.headings.first)} #{("ASC" or "DESC")}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/controllers/directory_items_controller.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:106

redirect_to(SiteSetting.sso_not_approved_url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

application_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/application_controller.rb:341

redirect_to("#{Discourse.base_uri}#{Permalink.find_by_url(request.fullpath).target_url}", :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

static_controller.rb
code Critical
Dynamic Render Path
Discovered almost 5 years ago
Source: static code analysis
Category: Dynamic Render Path
Confidence level: High

Problem

Render path contains parameter value

Location

app/controllers/static_controller.rb:58

render(action => (("static/#{(params[:id] or "faq")}.#{I18n.locale}" or "static/#{(params[:id] or "faq")}.en") or "static/#{(params[:id] or "faq")}"), { :layout => (not request.xhr?), :formats => ([:html]) })

Category description: When a call to render uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:135

redirect_to((DiscourseSingleSignOn.parse(request.query_string).return_path or path("/")))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:32

redirect_to(DiscourseSingleSignOn.generate_sso(((params[:return_path] or path("/")) or "#{URI.parse((destination_url or session[:destination_url])).path}#{if URI.parse((destination_url or session[:destination_url])).query then
  ("?" << URI.parse((destination_url or session[:destination_url])).query)
else
  ""
end}")).to_url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

permalinks_controller.rb
code Critical
Redirect
Discovered almost 5 years ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/permalinks_controller.rb:12

redirect_to(Permalink.find_by_url(request.fullpath).external_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/permalinks_controller.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:152

where("topics.category_id IS NULL OR topics.category_id IN (SELECT id FROM categories WHERE #{(["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[0]})", (["NOT read_restricted OR id IN (:cats)", { :cats => guardian.secure_category_ids }] or ["NOT read_restricted"])[1])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:439

Topic.where(:id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).update_all(["#{"#{post_action_type_key}_count"} = ?", Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).sum("#{post_action_type_key}_count")])

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.

backups_controller.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/controllers/admin/backups_controller.rb:52

send_file(Backup[params.fetch(:id)].path)

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/admin/backups_controller.rb or mark it as false positive.

user_history.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_history.rb:112

self.where(:action => filters[:action_id]).where(:custom_type => filters[:custom_type]).where("#{key}_id = ?", User.where(:username_lower => filters[key].downcase).pluck(:id))

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_history.rb or mark it as false positive.

topic.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/topic.rb:441

Topic.visible.secured(Guardian.new(user)).listable_topics.joins("JOIN topic_search_data s ON topics.id = s.topic_id").where("search_data @@ #{Search.ts_query(Search.prepare_data(((title + " ") + raw[(0...200)])), nil, "|")}").order("ts_rank(search_data, #{Search.ts_query(Search.prepare_data(((title + " ") + raw[(0...200)])), nil, "|")}) DESC")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/topic.rb or mark it as false positive.

user_search.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/user_search.rb:93

User.joins("JOIN (SELECT unnest uid, row_number() OVER () AS rn\n      FROM unnest('{#{search_ids.join(",")}}'::int[])\n    ) x on uid = users.id")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/user_search.rb or mark it as false positive.

user_export.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/models/user_export.rb:13

File.delete("#{UserExport.base_directory}/#{"#{expired_export.file_name}-#{expired_export.id}.csv.gz"}")

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/models/user_export.rb or mark it as false positive.

optimized_image.rb
code Severe
Command Injection
Discovered almost 5 years ago
Source: static code analysis
Category: Command Injection
Confidence level: Medium

Problem

Possible command injection

Location

app/models/optimized_image.rb:148

`#{instructions.join(" ")} &> /dev/null`

Category description: Command injection occurs when shell commands unsafely include user-manipulatable values.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

export_csv_controller.rb
code Severe
File Access
Discovered almost 5 years ago
Source: static code analysis
Category: File Access
Confidence level: Medium

Problem

Model attribute used in file name

Location

app/controllers/export_csv_controller.rb:21

send_file(UserExport.get_download_path(params.fetch(:id)))

Category description: When user-supplied input can contain ".." or similar characters that are passed through to file access APIs, causing access to files outside of an intended subdirectory.

Solution: fix the issue in app/controllers/export_csv_controller.rb or mark it as false positive.

group.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/group.rb:207

GroupUser.joins("RIGHT JOIN (#{case name
when :admins then
  "SELECT u.id FROM users u WHERE u.admin"
when :moderators then
  "SELECT u.id FROM users u WHERE u.moderator"
when :staff then
  "SELECT u.id FROM users u WHERE u.moderator OR u.admin"
when :trust_level_1, :trust_level_2, :trust_level_3, :trust_level_4 then
  "SELECT u.id FROM users u WHERE u.trust_level >= #{({ :everyone => 0, :admins => 1, :moderators => 2, :staff => 3, :trust_level_0 => 10, :trust_level_1 => 11, :trust_level_2 => 12, :trust_level_3 => 13, :trust_level_4 => 14 }[name] - 10)}"
when :trust_level_0 then
  "SELECT u.id FROM users u"
else
  # do nothing
end}) X ON X.id = user_id AND group_id = #{(self.lookup_group(name) or Group.new(:name => name.to_s, :automatic => true)).id}")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

post_action.rb
code Severe
SQL Injection
Discovered almost 5 years ago
Source: static code analysis
Category: SQL Injection
Confidence level: Medium

Problem

Possible SQL injection

Location

app/models/post_action.rb:438

Post.where(:topic_id => Post.with_deleted.where(:id => post_id).pluck(:topic_id).first).sum("#{post_action_type_key}_count")

Category description: SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query.

Solution: fix the issue in app/models/post_action.rb or mark it as false positive.