Improperly Controlled Modification of Dynamically-Determined Object Attributes

- from django.http import JsonResponse
- from .models import User
- 
- def update_user(request, user_id):
-     user = User.objects.get(id=user_id)
-     for key, value in request.POST.items():
-         setattr(user, key, value)
-     user.save()
+ from django import forms
+ from django.http import JsonResponse
+ from .models import User
+ 
+ class UserForm(forms.ModelForm):
+     class Meta:
+         model = User
+         fields = ['username', 'email', 'bio']
+ 
+ def update_user(request, user_id):
+     user = User.objects.get(id=user_id)
+     form = UserForm(request.POST, instance=user)
+     if form.is_valid():
+         form.save()
      return JsonResponse({'status': 'updated'})
  

- from flask import request
- 
- @app.route('/update', methods=['POST'])
- def update():
-     user = User.query.get(1)
-     data = request.get_json()
-     for key, value in data.items():
+ from flask import request, abort
+ 
+ ALLOWED_ATTRS = {"username", "email", "display_name"}
+ 
+ @app.route('/update', methods=['POST'])
+ def update():
+     user = User.query.get(1)
+     data = request.get_json()
+     for key, value in data.items():
+         if key not in ALLOWED_ATTRS:
+             abort(400, f"Cannot update field: {key}")
          setattr(user, key, value)
      db.session.commit()
      return 'Updated'
  

  from rest_framework import serializers
  from django.contrib.auth.models import User
  
  class UserSerializer(serializers.ModelSerializer):
      class Meta:
          model = User
-         fields = '__all__'
+         fields = ['id', 'username', 'email', 'first_name', 'last_name']
+         read_only_fields = ['id']
  

  import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.post('/api/users', async (req, res) => {
-   const user = await prisma.user.create({
-     data: { ...req.body }
-   });
-   res.json(user);
- });
- 
- // Attacker sends: { "email": "[email protected]", "role": "admin", "credits": 99999 }
+ import { z } from 'zod';
+ const prisma = new PrismaClient();
+ 
+ const createUserSchema = z.object({
+   email: z.string().email(),
+   name: z.string().min(1).max(100),
+ });
+ 
+ app.post('/api/users', async (req, res) => {
+   const input = createUserSchema.parse(req.body);
+   const user = await prisma.user.create({
+     data: {
+       email: input.email,
+       name: input.name,
+       role: 'user', // Set server-side, not from input
+     }
+   });
+   res.json(user);
+ });
  

  import { getRepository } from 'typeorm';
- import { User } from './user.entity';
- 
- app.put('/api/users/:id', async (req, res) => {
-   const repo = getRepository(User);
-   const user = await repo.findOne(req.params.id);
-   Object.assign(user, req.body);
-   await repo.save(user);
-   res.json(user);
- });
- // Attacker sends: { "email": "[email protected]", "role": "admin", "isAdmin": true }
+ import { plainToClass } from 'class-transformer';
+ import { validate } from 'class-validator';
+ import { UpdateUserDto } from './update-user.dto';
+ 
+ app.put('/api/users/:id', async (req, res) => {
+   const dto = plainToClass(UpdateUserDto, req.body, {
+     excludeExtraneousValues: true,
+   });
+   const errors = await validate(dto);
+   if (errors.length > 0) return res.status(400).json({ errors });
+ 
+   const repo = getRepository(User);
+   const user = await repo.findOne(req.params.id);
+   user.email = dto.email;
+   user.username = dto.username;
+   await repo.save(user);
+   res.json(user);
+ });