We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak


Unprotected mass assignment



OptimizedImage.create!(:upload_id => upload.id, :sha1 => Upload.generate_digest(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :extension => (".#{(opts[:format] or upload.extension)}"), :width => width, :height => height, :url => "", :filesize => File.size(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :version => 2)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.