We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/reviewable_queued_post.rb:95

Notification.create!(:notification_type => Notification.types[:post_approved], :user_id => created_by.id, :data => { :post_url => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.url }.to_json, :topic_id => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.topic_id, :post_number => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.post_number)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/reviewable_queued_post.rb or mark it as false positive.