Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks.

व्यापकता

उच्च

बार-बार शोषित

प्रभाव

क्रिटिकल

2 क्रिटिकल गंभीरता वाले नियम

रोकथाम

प्रलेखित

5 फिक्स उदाहरण

2 रोकथाम

इस भेद्यता को कैसे ठीक करें

5 Shoulder डिटेक्शन नियमों पर आधारित Mass Assignment के लिए रोकथाम रणनीतियाँ।

🐍 Python सब देखें Python विवरण →

Django Mass Assignment Vulnerability HIGH

Use ModelForm with explicit fields whitelist instead of **kwargs or exclude

+14 -8 python

- from django.http import JsonResponse
- from .models import User
- 
- def update_user(request, user_id):
-     user = User.objects.get(id=user_id)
-     for key, value in request.POST.items():
-         setattr(user, key, value)
-     user.save()
+ from django import forms
+ from django.http import JsonResponse
+ from .models import User
+ 
+ class UserForm(forms.ModelForm):
+     class Meta:
+         model = User
+         fields = ['username', 'email', 'bio']
+ 
+ def update_user(request, user_id):
+     user = User.objects.get(id=user_id)
+     form = UserForm(request.POST, instance=user)
+     if form.is_valid():
+         form.save()
      return JsonResponse({'status': 'updated'})

Class/Attribute Pollution HIGH

Whitelist allowed attributes before using setattr() or __dict__.update()

+11 -7 python

- from flask import request
- 
- @app.route('/update', methods=['POST'])
- def update():
-     user = User.query.get(1)
-     data = request.get_json()
-     for key, value in data.items():
+ from flask import request, abort
+ 
+ ALLOWED_ATTRS = {"username", "email", "display_name"}
+ 
+ @app.route('/update', methods=['POST'])
+ def update():
+     user = User.query.get(1)
+     data = request.get_json()
+     for key, value in data.items():
+         if key not in ALLOWED_ATTRS:
+             abort(400, f"Cannot update field: {key}")
          setattr(user, key, value)
      db.session.commit()
      return 'Updated'

Serializer/Form Exposes Privilege Fields HIGH

Use explicit field lists in serializers and mark privilege fields as read-only

+2 -1 python

  from rest_framework import serializers
  from django.contrib.auth.models import User
  
  class UserSerializer(serializers.ModelSerializer):
      class Meta:
          model = User
-         fields = '__all__'
+         fields = ['id', 'username', 'email', 'first_name', 'last_name']
+         read_only_fields = ['id']

🟨 JavaScript सब देखें JavaScript विवरण →

Prisma Mass Assignment Vulnerability CRITICAL

Validate input with Zod schema and use explicit field assignment instead of spreading req.body

+19 -10 javascript

  import { PrismaClient } from '@prisma/client';
- const prisma = new PrismaClient();
- 
- app.post('/api/users', async (req, res) => {
-   const user = await prisma.user.create({
-     data: { ...req.body }
-   });
-   res.json(user);
- });
- 
- // Attacker sends: { "email": "[email protected]", "role": "admin", "credits": 99999 }
+ import { z } from 'zod';
+ const prisma = new PrismaClient();
+ 
+ const createUserSchema = z.object({
+   email: z.string().email(),
+   name: z.string().min(1).max(100),
+ });
+ 
+ app.post('/api/users', async (req, res) => {
+   const input = createUserSchema.parse(req.body);
+   const user = await prisma.user.create({
+     data: {
+       email: input.email,
+       name: input.name,
+       role: 'user', // Set server-side, not from input
+     }
+   });
+   res.json(user);
+ });

TypeORM Mass Assignment Vulnerability CRITICAL

Use explicit field assignment or class-transformer with excludeExtraneousValues instead of spreading req.body

+18 -10 javascript

  import { getRepository } from 'typeorm';
- import { User } from './user.entity';
- 
- app.put('/api/users/:id', async (req, res) => {
-   const repo = getRepository(User);
-   const user = await repo.findOne(req.params.id);
-   Object.assign(user, req.body);
-   await repo.save(user);
-   res.json(user);
- });
- // Attacker sends: { "email": "[email protected]", "role": "admin", "isAdmin": true }
+ import { plainToClass } from 'class-transformer';
+ import { validate } from 'class-validator';
+ import { UpdateUserDto } from './update-user.dto';
+ 
+ app.put('/api/users/:id', async (req, res) => {
+   const dto = plainToClass(UpdateUserDto, req.body, {
+     excludeExtraneousValues: true,
+   });
+   const errors = await validate(dto);
+   if (errors.length > 0) return res.status(400).json({ errors });
+ 
+   const repo = getRepository(User);
+   const user = await repo.findOne(req.params.id);
+   user.email = dto.email;
+   user.username = dto.username;
+   await repo.save(user);
+   res.json(user);
+ });

3 पहचान

अपने कोड में भेद्यताएँ खोजें

Improperly Controlled Modification of Dynamically-Determined Object Attributes पैटर्न के लिए अपने कोडबेस को स्कैन करने के लिए Shoulder का उपयोग करें। 5 नियम.

टर्मिनल

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=915

# Or scan entire project
npx @shoulderdev/cli trust .

पहचान नियम (5)

🐍 Python 3 rules

Django Mass Assignment Vulnerability HIGH

Detects Django code that creates or updates models using all request data without validation. This allows attackers to set arbitrary fields including sensitive ones like is_admin, is_staff, or permissions. NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST, request.data). It does NOT flag request.GET or request.query_params, as those are typically used for read-only filtering operations and cannot cause mass assignment vulnerabilities in standard Django ORM usage.

Class/Attribute Pollution HIGH

Detects unsafe modification of class attributes or object __dict__ using user input.

Serializer/Form Exposes Privilege Fields HIGH

Detects serializers or forms that expose privilege-related fields without marking them as read-only.

🟨 Javascript 2 rules

Prisma Mass Assignment Vulnerability CRITICAL

Spreading req.body into Prisma create/update allows attackers to modify protected fields like role, credits, or permissions.

TypeORM Mass Assignment Vulnerability CRITICAL

Directly assigning req.body to entities allows attackers to modify protected fields like role, isAdmin, or credits.

🔷 Typescript 2 rules

Prisma Mass Assignment Vulnerability CRITICAL

Spreading req.body into Prisma create/update allows attackers to modify protected fields like role, credits, or permissions.

TypeORM Mass Assignment Vulnerability CRITICAL

Directly assigning req.body to entities allows attackers to modify protected fields like role, isAdmin, or credits.

4 चेतावनी संकेत

कोड समीक्षा में किन बातों पर ध्यान दें

ये पैटर्न संभावित Improperly Controlled Modification of Dynamically-Determined Object Attributes भेद्यताओं का संकेत देते हैं। कोड समीक्षा और सुरक्षा ऑडिट के दौरान इन्हें देखें।

🟠

Django code that creates or updates models using all request data without validation django-mass-assignment

🟠

unsafe modification of class attributes or object __dict__ using user input python-class-pollution

🟠

serializers or forms that expose privilege-related fields without marking them as read-only python-serializer-privilege-exposure

🔴

... uses unvalidated user input in data parameter. Use explicit field whitelisting with validation. prisma-mass-assignment

🔴

Entity properties assigned directly from user input without whitelisting. This allows unauthorized field modification. typeorm-mass-assignment

🔍

अपने कोडबेस को इसके लिए स्कैन करें: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Shoulder CLI आपके पूरे कोडबेस में भेद्य पैटर्न खोजता है।

npx shoulder trust सभी नियम देखें