# Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. **Stack:** Python - Prevalence: Hoch Häufig ausgenutzt - Impact: Kritisch 2 Regeln mit kritischem Schweregrad - Prevention: Dokumentiert 5 Fix-Beispiele **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks. ## Prevention Präventionsstrategien für Mass Assignment basierend auf 3 Shoulder-Erkennungsregeln. ### Python Use ModelForm with explicit fields whitelist instead of **kwargs or exclude Whitelist allowed attributes before using setattr() or __dict__.update() Use explicit field lists in serializers and mark privilege fields as read-only ## Warning Signs - [HIGH] Django code that creates or updates models using all request data without validation - [HIGH] unsafe modification of class attributes or object __dict__ using user input - [HIGH] serializers or forms that expose privilege-related fields without marking them as read-only ## Consequences - Privilegien erlangen - Schutzmechanismus umgehen - Anwendungsdaten ändern ## Mitigations - Eine Allowlist erlaubter Attribute für Mass Assignment verwenden - Geeignete Eingabevalidierung umsetzen, um unerwartete Attribute abzulehnen - Data Transfer Objects (DTOs) verwenden, um zu steuern, welche Felder verändert werden können ## Detection - Total rules: 5 - Critical: 2 - Languages: python, javascript, typescript ## Rules by Language ### Python (3 rules) - **Django Mass Assignment Vulnerability** [HIGH]: Detects Django code that creates or updates models using all request data without validation. This allows attackers to set arbitrary fields including sensitive ones like is_admin, is_staff, or permissions. NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST, request.data). It does NOT flag request.GET or request.query_params, as those are typically used for read-only filtering operations and cannot cause mass assignment vulnerabilities in standard Django ORM usage. - Remediation: Use ModelForm with explicit fields to whitelist allowed attributes. ```python from django import forms from .models import User class UserForm(forms.ModelForm): class Meta: model = User fields = ['username', 'email', 'bio'] def create_user(request): form = UserForm(request.POST) if form.is_valid(): form.save() ``` Learn more: https://shoulder.dev/learn/python/cwe-915/mass-assignment - **Class/Attribute Pollution** [HIGH]: Detects unsafe modification of class attributes or object __dict__ using user input. - Remediation: Whitelist allowed attributes before using setattr. ```python ALLOWED_ATTRS = {"username", "email"} if key in ALLOWED_ATTRS: setattr(user, key, value) ``` Learn more: https://shoulder.dev/learn/python/cwe-915/class-pollution - **Serializer/Form Exposes Privilege Fields** [HIGH]: Detects serializers or forms that expose privilege-related fields without marking them as read-only. - Remediation: Use explicit field lists and mark privilege fields as read-only. ```python class Meta: fields = ['username', 'email'] read_only_fields = ['is_staff', 'is_superuser'] ``` Learn more: https://shoulder.dev/learn/python/cwe-915/serializer-privilege-exposure