second_factor_manager.rb
code Critical
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:16

UserSecondFactor.create!({ :user_id => self.id, :method => UserSecondFactor.methods[:totp], :data => ROTP::Base32.random }.merge(opts))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

user_fields_controller.rb
code Critical
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/controllers/admin/user_fields_controller.rb:10

UserField.new(params.require(:user_field).permit(*Admin::UserFieldsController.columns))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/user_fields_controller.rb or mark it as false positive.

tag_groups_controller.rb
code Severe
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Medium

Problem

Parameters should be whitelisted for mass assignment

Location

app/controllers/tag_groups_controller.rb:89

params.delete(:tag_group).permit!

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

themes_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/themes_controller.rb:62

Theme.new(:name => JSON.parse(params[:theme].read)["theme"]["name"], :user_id => theme_user.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/themes_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:904

User.human_users.find_by_username_or_email(params[:login]).email_tokens.create!(:email => User.human_users.find_by_username_or_email(params[:login]).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

color_schemes_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/color_schemes_controller.rb:12

ColorScheme.create(color_scheme_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/color_schemes_controller.rb or mark it as false positive.

session_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/session_controller.rb:447

User.find_by_username_or_email(normalized_login_param).email_tokens.create(:email => User.find_by_username_or_email(normalized_login_param).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

notifications_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/notifications_controller.rb:76

Notification.create!(notification_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/notifications_controller.rb or mark it as false positive.

tag_groups_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/tag_groups_controller.rb:42

TagGroup.new(tag_groups_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/tag_groups_controller.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/groups_controller.rb:8

Group.new(group_params.to_h.except(:owner_usernames, :usernames))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/groups_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:795

UserHistory.create!(:target_user => (@user), :acting_user => (@user), :action => UserHistory.actions[:change_password])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

api_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/api_controller.rb:62

ApiKey.new(update_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/users_controller.rb:311

User.find_by(:id => params[:user_id]).email_tokens.create(:email => User.find_by(:id => params[:user_id]).email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/users_controller.rb or mark it as false positive.

web_hooks_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/web_hooks_controller.rb:36

WebHook.new(web_hook_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/web_hooks_controller.rb or mark it as false positive.

discourse_single_sign_on.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/discourse_single_sign_on.rb:240

User.create!(:primary_email => UserEmail.new(:email => email, :primary => true), :name => ((name.presence or User.suggest_name((username.presence or email)))), :username => UserNameSuggester.suggest((username.presence or (name.presence or email))), :ip_address => ip_address, :locale => locale)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/discourse_single_sign_on.rb or mark it as false positive.

topic_embed.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_embed.rb:73

TopicEmbed.create!(:topic_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.topic_id, :embed_url => normalize_url(url), :content_sha1 => Digest::SHA1.hexdigest((+"" << imported_from_html(url))), :post_id => PostCreator.new(user, :title => title, :raw => absolutize_urls(normalize_url(url), (+"" << imported_from_html(url))), :skip_validations => true, :cook_method => ((Post.cook_methods[:regular] or Post.cook_methods[:raw_html])), :category => EmbeddableHost.record_for_url(normalize_url(url)).category_id, :visible => false).create.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_embed.rb or mark it as false positive.

topics_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/topics_controller.rb:311

SharedDraft.create(:topic_id => Topic.find_by(:id => params[:id]).id, :category_id => Category.where(:id => params[:category_id].to_i).first.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/topics_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:271

UserHistory.create!(:action => UserHistory.actions[:update_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

second_factor_manager.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:220

UserSecondFactor.create!(:user_id => self.id, :data => code.to_json, :enabled => true, :method => UserSecondFactor.methods[:backup_codes])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.

invite.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/invite.rb:152

Invite.create!({}.slice(:email, :moderator, :custom_message, :max_redemptions_allowed))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/invite.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:300

UserHistory.create(:action => UserHistory.actions[:destroy_email], :acting_user_id => fetch_user_from_params.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

screened_ip_addresses_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/screened_ip_addresses_controller.rb:26

ScreenedIpAddress.new(allowed_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/screened_ip_addresses_controller.rb or mark it as false positive.

published_pages_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/published_pages_controller.rb:77

PublishedPage.new(:topic => Topic.new, :slug => params[:slug].strip)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/published_pages_controller.rb or mark it as false positive.

category.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/category.rb:770

Permalink.create(:url => Permalink.normalize_url(((+"#{Discourse.base_path}/c" << "/#{parent_category.slug_path.join("/")}") << "/#{saved_changes.transform_values(&:first)["slug"]}/#{id}")), :category_id => id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/category.rb or mark it as false positive.

user_action.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user_action.rb:271

self.new(hash)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user_action.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:340

UserHistory.create!(:details => ("title matching badge id #{UserBadge.find_by(:id => params[:user_badge_id]).badge.id}"), :previous_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :new_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:change_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

emojis_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/emojis_controller.rb:30

CustomEmoji.new(:name => (params[:name] or File.basename((params[:file] or params[:files].first).original_filename, ".*")).gsub(/[^a-z0-9]+/i, "_").gsub(/_{2,}/, "_").downcase, :upload => UploadCreator.new((params[:file] or params[:files].first).tempfile, (params[:file] or params[:files].first).original_filename, :type => "custom_emoji").create_for(current_user.id), :group => ((params[:group].downcase or nil)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/emojis_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:355

UserHistory.create!(:previous_value => "", :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:revoke_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

api_controller.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/api_controller.rb:110

ApiKeyScope.new(:resource => resource, :action => action, :allowed_parameters => build_params(scope_params, ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)[:params]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.

tag_user.rb
code Moderate
Mass Assignment
Discovered 3 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/tag_user.rb:100

TagUser.create(:user_id => user_id.id.to_i, :tag_id => (tag_id.id or (tag_id or Tag.find_by_id(tag_id)).target_tag_id).to_i, :notification_level => level)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/tag_user.rb or mark it as false positive.