Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/user_api_keys_controller.rb:74

UserApiKey.create!(:application_name => params[:application_name], :client_id => params[:client_id], :user_id => current_user.id, :push_url => params[:push_url], :scopes => (params[:scopes].split(",").map do
 UserApiKeyScope.new(:name => name)
 end))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/user_api_keys_controller.rb or mark it as false positive.