Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:340

UserHistory.create!(:details => ("title matching badge id #{UserBadge.find_by(:id => params[:user_badge_id]).badge.id}"), :previous_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :new_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:change_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.