remote_theme.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:43

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::ZipImporter.new(filename, original_filename))["name"])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

post_mover.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/post_mover.rb:46

Topic.create!(:user => Post.find_by(:id => post_ids.first).user, :title => title, :category_id => category_id, :created_at => Post.find_by(:id => post_ids.first).created_at, :archetype => ((Archetype.private_message or Archetype.default)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/post_mover.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:606

User.new.attributes = user_params.except(:timezone)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

user.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user.rb:1226

UserAvatar.create!(:user_id => id, :custom_upload_id => SiteSetting.selectable_avatars.sample.id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:873

User.with_email(params[:email]).admins.human_users.first.email_tokens.create(:email => User.with_email(params[:email]).admins.human_users.first.email)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

groups_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/groups_controller.rb:521

GroupRequest.create!(:group => find_group(:id), :user => current_user, :reason => params[:reason])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/groups_controller.rb or mark it as false positive.

remote_theme.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:84

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["name"], :component => [true, "true"].include?(RemoteTheme.extract_theme_info(ThemeStore::GitImporter.new(url.strip, :private_key => private_key, :branch => branch))["component"]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

user_api_keys_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/user_api_keys_controller.rb:74

UserApiKey.create!(:application_name => params[:application_name], :client_id => params[:client_id], :user_id => current_user.id, :push_url => params[:push_url], :scopes => (params[:scopes].split(",").map do
 UserApiKeyScope.new(:name => name)
 end))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/user_api_keys_controller.rb or mark it as false positive.

group.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/group.rb:667

Notification.create!(:notification_type => Notification.types[:membership_request_accepted], :user_id => user.id, :data => { :group_id => id, :group_name => name }.to_json)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/group.rb or mark it as false positive.

user_auth_token.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user_auth_token.rb:28

UserAuthTokenLog.create!(info)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user_auth_token.rb or mark it as false positive.

categories_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/categories_controller.rb:128

Category.new(required_create_params.merge(:user => current_user))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/categories_controller.rb or mark it as false positive.

optimized_image.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/optimized_image.rb:103

OptimizedImage.create!(:upload_id => upload.id, :sha1 => Upload.generate_digest(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :extension => (".#{(opts[:format] or upload.extension)}"), :width => width, :height => height, :url => "", :filesize => File.size(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :version => 2)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

topic_user.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_user.rb:241

TopicUser.create!(attrs.merge!(:user_id => user_id, :topic_id => topic_id, :first_visited_at => DateTime.now, :last_visited_at => DateTime.now))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

permalinks_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/permalinks_controller.rb:23

Permalink.new(:url => params[:url], "tag_id" => Tag.find_by_name(params[:permalink_type_value]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/permalinks_controller.rb or mark it as false positive.

reviewable_claimed_topics_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/reviewable_claimed_topics_controller.rb:11

ReviewableClaimedTopic.create!(:user_id => current_user.id, :topic_id => Topic.with_deleted.find_by(:id => params[:reviewable_claimed_topic][:topic_id]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/reviewable_claimed_topics_controller.rb or mark it as false positive.

reviewable_queued_post.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/reviewable_queued_post.rb:95

Notification.create!(:notification_type => Notification.types[:post_approved], :user_id => created_by.id, :data => { :post_url => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.url }.to_json, :topic_id => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.topic_id, :post_number => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.post_number)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/reviewable_queued_post.rb or mark it as false positive.

username_validator.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/username_validator.rb:27

User.new(user)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/username_validator.rb or mark it as false positive.

invites_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/invites_controller.rb:173

Invite.find_by(:invited_by => current_user, :id => params[:id]).topic_invites.create!(:topic_id => Topic.find_by(:id => params[:topic_id]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/invites_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:1250

IgnoredUser.create!(:user => current_user, :ignored_user => fetch_user_from_params, :expiring_at => Time.parse(params[:expiring_at]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.