Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/tag_user.rb:100

TagUser.create(:user_id => user_id.id.to_i, :tag_id => (tag_id.id or (tag_id or Tag.find_by_id(tag_id)).target_tag_id).to_i, :notification_level => level)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/tag_user.rb or mark it as false positive.