Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:220

UserSecondFactor.create!(:user_id => self.id, :data => code.to_json, :enabled => true, :method => UserSecondFactor.methods[:backup_codes])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.