Skip to main content

Mass Assignment

Description

We sent a payload with extra properties relating to RBAC and they were accepted. This means that the object was not properly sanitized and special properties can be forced into the object.

Remediation

You must validate all objects and all their properties, even when not documented in the API.

REST Specific

Asp_net

In ASP.NET, to prevent mass assignment vulnerabilities, use view models with only the properties that should be updated and apply the [Bind] attribute to limit properties that can be bound. Additionally, avoid using the UpdateModel or TryUpdateModel methods with your domain models directly. Always validate and sanitize input before applying changes to the data model.

Ruby_on_rails

In Ruby on Rails, prevent mass assignment vulnerabilities by using strong parameters. Explicitly permit only the required parameters for an object using the permit method in the controller. For example, if you have a User model, define a private method in the UsersController that whitelists the user parameters like so: params.require(:user).permit(:name, :email). This ensures that only the allowed attributes can be set through mass assignment.

Next_js

In Next.js, to prevent mass assignment vulnerabilities, ensure that you explicitly define the properties that can be updated. Use libraries like lodash or ES6 functions to pick only the allowed fields from the request body before passing them to your data update functions. Additionally, consider using TypeScript for stronger typing and compile-time checks.

Laravel

In Laravel, to prevent mass assignment vulnerabilities, always define fillable or guarded properties in your Eloquent models. Use the 'fillable' property to specify which attributes should be mass-assignable. Alternatively, use the 'guarded' property to define which attributes are not mass-assignable. Additionally, leverage Form Request validation to ensure only expected data is passed through and consider using DTOs (Data Transfer Objects) for complex data handling. Regularly review your code to ensure that mass assignment protections are in place and effective.

Express_js

In Express.js, to prevent mass assignment vulnerabilities, use middleware like express-validation to validate incoming data against a predefined schema, or manually define a list of allowed fields and only accept those. Additionally, consider using ORMs like Sequelize or Mongoose that support field whitelisting.

Django

In Django, ensure that you define explicit fields in your forms or serializers that correspond to the model attributes you want to allow for mass assignment. Use the 'fields' attribute in ModelForm or the Django REST Framework serializers to control which fields are accepted. Additionally, leverage the 'exclude' attribute to specify any fields that should not be included in the form or API input. Always validate incoming data and consider using the '@property' decorator to define read-only properties that cannot be set through mass assignment.

Symfony

In Symfony, to prevent mass assignment vulnerabilities, use the 'allow_extra_fields' option in your form configuration and set it to 'false'. This ensures that only the fields explicitly defined in the form will be accepted. Additionally, explicitly define the properties that should be mutable by using the 'property_path' option for each field, and avoid using the 'handleRequest' method with untrusted data sources. Always validate and sanitize input data before binding it to your models.

Spring_boot

In Spring Boot, to prevent mass assignment vulnerabilities, use DTOs (Data Transfer Objects) to explicitly define the properties that should be bound from the request payloads. Additionally, leverage the @JsonIgnoreProperties annotation to ignore unexpected fields, and use @JsonProperty(access = Access.READ_ONLY) on fields that should not be writable. Always validate input and consider using groups with @Validated to apply different validation rules for different operations.

Flask

In Flask, to prevent mass assignment vulnerabilities, ensure that you explicitly define which fields can be modified by the user. Use forms or serializers to whitelist allowed fields and ignore any unexpected fields sent in the request. Additionally, leverage the Flask-WTF or Marshmallow libraries to enforce strict input validation and deserialization. Always avoid directly passing request data to ORM save or update methods without proper filtering.

Nuxt

In Nuxt.js, to prevent mass assignment vulnerabilities, explicitly define the properties that should be allowed in your models or data objects. Use libraries like vue-safe-html for sanitizing input and consider implementing a strict allowlist of permissible fields when handling user input. Additionally, leverage Nuxt.js middleware to validate and sanitize incoming data before it reaches your application logic.

Fastapi

In FastAPI, to prevent mass assignment vulnerabilities, explicitly define which fields are allowed to be updated in your Pydantic models using the Field function with the exclude parameter. Additionally, use the Body function with the embed parameter to ensure that only the specified fields can be received from the request payload. Implement role-based access control (RBAC) checks to ensure users can only modify fields they are authorized to change.

Configuration

Identifier: injection/mass_assignment

Examples

Ignore this check

checks:
  injection/mass_assignment:
    skip: true

Score

  • Escape Severity: HIGH

Compliance

  • OWASP: API1:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.18.1
  • nist: SP800-53
  • fedramp: AC-6

Classification

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
  • CVSS_SCORE: 9.3