screened_ip_addresses_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/screened_ip_addresses_controller.rb:26

ScreenedIpAddress.new(allowed_params)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/screened_ip_addresses_controller.rb or mark it as false positive.

published_pages_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/published_pages_controller.rb:77

PublishedPage.new(:topic => Topic.new, :slug => params[:slug].strip)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/published_pages_controller.rb or mark it as false positive.

category.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/category.rb:770

Permalink.create(:url => Permalink.normalize_url(((+"#{Discourse.base_path}/c" << "/#{parent_category.slug_path.join("/")}") << "/#{saved_changes.transform_values(&:first)["slug"]}/#{id}")), :category_id => id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/category.rb or mark it as false positive.

user_action.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/user_action.rb:271

self.new(hash)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/user_action.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:340

UserHistory.create!(:details => ("title matching badge id #{UserBadge.find_by(:id => params[:user_badge_id]).badge.id}"), :previous_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :new_value => UserBadge.find_by(:id => params[:user_badge_id]).badge.display_name, :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:change_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

emojis_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/emojis_controller.rb:30

CustomEmoji.new(:name => (params[:name] or File.basename((params[:file] or params[:files].first).original_filename, ".*")).gsub(/[^a-z0-9]+/i, "_").gsub(/_{2,}/, "_").downcase, :upload => UploadCreator.new((params[:file] or params[:files].first).tempfile, (params[:file] or params[:files].first).original_filename, :type => "custom_emoji").create_for(current_user.id), :group => ((params[:group].downcase or nil)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/emojis_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:355

UserHistory.create!(:previous_value => "", :target_user_id => fetch_user_from_params.id, :action => UserHistory.actions[:revoke_title])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

api_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/api_controller.rb:110

ApiKeyScope.new(:resource => resource, :action => action, :allowed_parameters => build_params(scope_params, ApiKeyScope.scope_mappings.dig(resource.to_sym, action.to_sym)[:params]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/api_controller.rb or mark it as false positive.

tag_user.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/tag_user.rb:100

TagUser.create(:user_id => user_id.id.to_i, :tag_id => (tag_id.id or (tag_id or Tag.find_by_id(tag_id)).target_tag_id).to_i, :notification_level => level)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/tag_user.rb or mark it as false positive.

remote_theme.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/remote_theme.rb:43

Theme.new(:user_id => ((user.id or -1)), :name => RemoteTheme.extract_theme_info(ThemeStore::ZipImporter.new(filename, original_filename))["name"])

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/remote_theme.rb or mark it as false positive.

post_mover.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/post_mover.rb:46

Topic.create!(:user => Post.find_by(:id => post_ids.first).user, :title => title, :category_id => category_id, :created_at => Post.find_by(:id => post_ids.first).created_at, :archetype => ((Archetype.private_message or Archetype.default)))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/post_mover.rb or mark it as false positive.

optimized_image.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/optimized_image.rb:103

OptimizedImage.create!(:upload_id => upload.id, :sha1 => Upload.generate_digest(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :extension => (".#{(opts[:format] or upload.extension)}"), :width => width, :height => height, :url => "", :filesize => File.size(Tempfile.new(["discourse-thumbnail", ".#{(opts[:format] or upload.extension)}"]).path), :version => 2)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/optimized_image.rb or mark it as false positive.

topic_user.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/topic_user.rb:241

TopicUser.create!(attrs.merge!(:user_id => user_id, :topic_id => topic_id, :first_visited_at => DateTime.now, :last_visited_at => DateTime.now))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/topic_user.rb or mark it as false positive.

permalinks_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/admin/permalinks_controller.rb:23

Permalink.new(:url => params[:url], "tag_id" => Tag.find_by_name(params[:permalink_type_value]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/admin/permalinks_controller.rb or mark it as false positive.

reviewable_claimed_topics_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/reviewable_claimed_topics_controller.rb:11

ReviewableClaimedTopic.create!(:user_id => current_user.id, :topic_id => Topic.with_deleted.find_by(:id => params[:reviewable_claimed_topic][:topic_id]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/reviewable_claimed_topics_controller.rb or mark it as false positive.

reviewable_queued_post.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/reviewable_queued_post.rb:95

Notification.create!(:notification_type => Notification.types[:post_approved], :user_id => created_by.id, :data => { :post_url => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.url }.to_json, :topic_id => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.topic_id, :post_number => PostCreator.new(created_by, create_options.merge(:skip_validations => true, :skip_jobs => true, :skip_events => true, :skip_guardian => true)).create.post_number)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/reviewable_queued_post.rb or mark it as false positive.

username_validator.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/models/username_validator.rb:27

User.new(user)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/models/username_validator.rb or mark it as false positive.

invites_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/invites_controller.rb:173

Invite.find_by(:invited_by => current_user, :id => params[:id]).topic_invites.create!(:topic_id => Topic.find_by(:id => params[:topic_id]).id)

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/invites_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Mass Assignment
Discovered 5 months ago
Source: static code analysis
Category: Mass Assignment
Confidence level: Weak

Problem

Unprotected mass assignment

Location

app/controllers/users_controller.rb:1250

IgnoredUser.create!(:user => current_user, :ignored_user => fetch_user_from_params, :expiring_at => Time.parse(params[:expiring_at]))

Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.