We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Discovered 6 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak


Unprotected mass assignment



CustomEmoji.new(:name => (params[:name] or File.basename((params[:file] or params[:files].first).original_filename, ".*")).gsub(/[^a-z0-9]+/i, "_").gsub(/_{2,}/, "_").downcase, :upload => UploadCreator.new((params[:file] or params[:files].first).tempfile, (params[:file] or params[:files].first).original_filename, :type => "custom_emoji").create_for(current_user.id), :group => ((params[:group].downcase or nil)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/emojis_controller.rb or mark it as false positive.