Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak


Unprotected mass assignment


app/controllers/admin/emojis_controller.rb:30 => (params[:name] or File.basename((params[:file] or params[:files].first).original_filename, ".*")).gsub(/[^a-z0-9]+/i, "_").gsub(/_{2,}/, "_").downcase, :upload =>[:file] or params[:files].first).tempfile, (params[:file] or params[:files].first).original_filename, :type => "custom_emoji").create_for(, :group => ((params[:group].downcase or nil)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/emojis_controller.rb or mark it as false positive.