# Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. **Stack:** JavaScript - Prevalence: 높음 자주 악용됨 - Impact: 치명적 2개의 치명적 심각도 규칙 - Prevention: 문서화됨 5개의 수정 예시 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 Mass Assignment 예방 전략. ### JavaScript Validate input with Zod schema and use explicit field assignment instead of spreading req.body Use explicit field assignment or class-transformer with excludeExtraneousValues instead of spreading req.body ## Warning Signs - [CRITICAL] ... uses unvalidated user input in data parameter. Use explicit field whitelisting with validation. - [CRITICAL] Entity properties assigned directly from user input without whitelisting. This allows unauthorized field modification. ## Consequences - 권한 획득 - 보호 메커니즘 우회 - 애플리케이션 데이터 수정 ## Mitigations - 대량 할당(mass assignment)에는 허용된 속성의 허용 목록을 사용하세요 - 예상치 못한 속성을 거부하도록 적절한 입력 검증을 구현하세요 - 수정 가능한 필드를 제어하기 위해 Data Transfer Object(DTO)를 사용하세요 ## Detection - Total rules: 5 - Critical: 2 - Languages: python, javascript, typescript ## Rules by Language ### Javascript (2 rules) - **Prisma Mass Assignment Vulnerability** [CRITICAL]: Spreading req.body into Prisma create/update allows attackers to modify protected fields like role, credits, or permissions. - Remediation: Use explicit field assignment instead of spreading req.body. ```typescript const input = createUserSchema.parse(req.body); const user = await prisma.user.create({ data: { email: input.email, name: input.name // role not assigned from user input } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-915/prisma-mass-assignment - **TypeORM Mass Assignment Vulnerability** [CRITICAL]: Directly assigning req.body to entities allows attackers to modify protected fields like role, isAdmin, or credits. - Remediation: Use explicit field assignment instead of spreading request data. ```typescript const user = repository.create({ username: req.body.username, email: req.body.email // role and isAdmin not assigned from user input }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-915/mass-assignment ### Typescript (2 rules) - **Prisma Mass Assignment Vulnerability** [CRITICAL]: Spreading req.body into Prisma create/update allows attackers to modify protected fields like role, credits, or permissions. - Remediation: Use explicit field assignment instead of spreading req.body. ```typescript const input = createUserSchema.parse(req.body); const user = await prisma.user.create({ data: { email: input.email, name: input.name // role not assigned from user input } }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-915/prisma-mass-assignment - **TypeORM Mass Assignment Vulnerability** [CRITICAL]: Directly assigning req.body to entities allows attackers to modify protected fields like role, isAdmin, or credits. - Remediation: Use explicit field assignment instead of spreading request data. ```typescript const user = repository.create({ username: req.body.username, email: req.body.email // role and isAdmin not assigned from user input }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-915/mass-assignment