Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: High

Problem

Unprotected mass assignment

Location

app/models/concerns/second_factor_manager.rb:16

UserSecondFactor.create!({ :user_id => self.id, :method => UserSecondFactor.methods[:totp], :data => ROTP::Base32.random }.merge(opts))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/concerns/second_factor_manager.rb or mark it as false positive.