We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak


Unprotected mass assignment



Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["name"], :component => [true, "true"].include?(RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["component"]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.