# Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

**Stack:** JavaScript

- Prevalence: 高 頻繁に悪用される
- Impact: クリティカル 2 件の重大度クリティカルなルール
- Prevention: 文書化済み 5 件の修正例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks.

## Prevention

2 件の Shoulder 検出ルールに基づく Mass Assignment の予防策。

### JavaScript

Validate input with Zod schema and use explicit field assignment instead of spreading req.body

Use explicit field assignment or class-transformer with excludeExtraneousValues instead of spreading req.body

## Warning Signs

- [CRITICAL] ... uses unvalidated user input in data parameter. Use explicit field whitelisting with validation.
- [CRITICAL] Entity properties assigned directly from user input without whitelisting. This allows unauthorized field modification.

## Consequences

- 権限の取得
- 保護メカニズムの回避
- アプリケーションデータの変更

## Mitigations

- マスアサインメントには許可された属性の許可リストを使用する
- 予期しない属性を拒否するための適切な入力検証を実装する
- 変更可能なフィールドを制御するためにデータ転送オブジェクト (DTO) を使用する

## Detection

- Total rules: 5
- Critical: 2
- Languages: python, javascript, typescript

## Rules by Language

### Javascript (2 rules)

- **Prisma Mass Assignment Vulnerability** [CRITICAL]: Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
  - Remediation: Use explicit field assignment instead of spreading req.body.

```typescript
const input = createUserSchema.parse(req.body);
const user = await prisma.user.create({
  data: {
    email: input.email,
    name: input.name
    // role not assigned from user input
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/prisma-mass-assignment
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
  - Remediation: Use explicit field assignment instead of spreading request data.

```typescript
const user = repository.create({
  username: req.body.username,
  email: req.body.email
  // role and isAdmin not assigned from user input
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/mass-assignment

### Typescript (2 rules)

- **Prisma Mass Assignment Vulnerability** [CRITICAL]: Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
  - Remediation: Use explicit field assignment instead of spreading req.body.

```typescript
const input = createUserSchema.parse(req.body);
const user = await prisma.user.create({
  data: {
    email: input.email,
    name: input.name
    // role not assigned from user input
  }
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/prisma-mass-assignment
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
  - Remediation: Use explicit field assignment instead of spreading request data.

```typescript
const user = repository.create({
  username: req.body.username,
  email: req.body.email
  // role and isAdmin not assigned from user input
});
```

Learn more: https://shoulder.dev/learn/typescript/cwe-915/mass-assignment