Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks.
Rozpowszechnienie
Wysoka
Często wykorzystywana
Wplyw
Krytyczny
2 reguł o krytycznym poziomie
Zapobieganie
Udokumentowane
5 przykładów poprawek
2 Zapobieganie
2 Zapobieganie
Jak naprawić tę podatność
Strategie zapobiegania dla Mass Assignment oparte na 5 regułach detekcji Shoulder.
Django Mass Assignment Vulnerability
HIGH
Use ModelForm with explicit fields whitelist instead of **kwargs or exclude
- from django.http import JsonResponse - from .models import User - - def update_user(request, user_id): - user = User.objects.get(id=user_id) - for key, value in request.POST.items(): - setattr(user, key, value) - user.save() + from django import forms + from django.http import JsonResponse + from .models import User + + class UserForm(forms.ModelForm): + class Meta: + model = User + fields = ['username', 'email', 'bio'] + + def update_user(request, user_id): + user = User.objects.get(id=user_id) + form = UserForm(request.POST, instance=user) + if form.is_valid(): + form.save() return JsonResponse({'status': 'updated'})
Class/Attribute Pollution
HIGH
Whitelist allowed attributes before using setattr() or __dict__.update()
- from flask import request - - @app.route('/update', methods=['POST']) - def update(): - user = User.query.get(1) - data = request.get_json() - for key, value in data.items(): + from flask import request, abort + + ALLOWED_ATTRS = {"username", "email", "display_name"} + + @app.route('/update', methods=['POST']) + def update(): + user = User.query.get(1) + data = request.get_json() + for key, value in data.items(): + if key not in ALLOWED_ATTRS: + abort(400, f"Cannot update field: {key}") setattr(user, key, value) db.session.commit() return 'Updated'
Serializer/Form Exposes Privilege Fields
HIGH
Use explicit field lists in serializers and mark privilege fields as read-only
from rest_framework import serializers from django.contrib.auth.models import User class UserSerializer(serializers.ModelSerializer): class Meta: model = User - fields = '__all__' + fields = ['id', 'username', 'email', 'first_name', 'last_name'] + read_only_fields = ['id']
JavaScript
Zobacz wszystko JavaScript szczegóły →
Prisma Mass Assignment Vulnerability
CRITICAL
Validate input with Zod schema and use explicit field assignment instead of spreading req.body
import { PrismaClient } from '@prisma/client'; - const prisma = new PrismaClient(); - - app.post('/api/users', async (req, res) => { - const user = await prisma.user.create({ - data: { ...req.body } - }); - res.json(user); - }); - - // Attacker sends: { "email": "[email protected]", "role": "admin", "credits": 99999 } + import { z } from 'zod'; + const prisma = new PrismaClient(); + + const createUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), + }); + + app.post('/api/users', async (req, res) => { + const input = createUserSchema.parse(req.body); + const user = await prisma.user.create({ + data: { + email: input.email, + name: input.name, + role: 'user', // Set server-side, not from input + } + }); + res.json(user); + });
TypeORM Mass Assignment Vulnerability
CRITICAL
Use explicit field assignment or class-transformer with excludeExtraneousValues instead of spreading req.body
import { getRepository } from 'typeorm'; - import { User } from './user.entity'; - - app.put('/api/users/:id', async (req, res) => { - const repo = getRepository(User); - const user = await repo.findOne(req.params.id); - Object.assign(user, req.body); - await repo.save(user); - res.json(user); - }); - // Attacker sends: { "email": "[email protected]", "role": "admin", "isAdmin": true } + import { plainToClass } from 'class-transformer'; + import { validate } from 'class-validator'; + import { UpdateUserDto } from './update-user.dto'; + + app.put('/api/users/:id', async (req, res) => { + const dto = plainToClass(UpdateUserDto, req.body, { + excludeExtraneousValues: true, + }); + const errors = await validate(dto); + if (errors.length > 0) return res.status(400).json({ errors }); + + const repo = getRepository(User); + const user = await repo.findOne(req.params.id); + user.email = dto.email; + user.username = dto.username; + await repo.save(user); + res.json(user); + });
3 Wykrywanie
3 Wykrywanie
Znajdz podatnosci w swoim kodzie
Uzyj Shoulder do skanowania kodu w poszukiwaniu wzorcow Improperly Controlled Modification of Dynamically-Determined Object Attributes. 5 reguly.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=915 # Or scan entire project npx @shoulderdev/cli trust .
Reguly Wykrywania (5)
🐍
Python
3 rules
Django Mass Assignment Vulnerability
HIGH
Detects Django code that creates or updates models using all request data
without validation. This allows attackers to set arbitrary fields including
sensitive ones like is_admin, is_staff, or permissions.
NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST,
request.data). It does NOT flag request.GET or request.query_params, as those
are typically used for read-only filtering operations and cannot cause
mass assignment vulnerabilities in standard Django ORM usage.
Class/Attribute Pollution
HIGH
Detects unsafe modification of class attributes or object __dict__ using
user input.
Serializer/Form Exposes Privilege Fields
HIGH
Detects serializers or forms that expose privilege-related fields without
marking them as read-only.
🟨
Javascript
2 rules
Prisma Mass Assignment Vulnerability
CRITICAL
Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
TypeORM Mass Assignment Vulnerability
CRITICAL
Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
🔷
Typescript
2 rules
Prisma Mass Assignment Vulnerability
CRITICAL
Spreading req.body into Prisma create/update allows attackers to modify
protected fields like role, credits, or permissions.
TypeORM Mass Assignment Vulnerability
CRITICAL
Directly assigning req.body to entities allows attackers to modify protected
fields like role, isAdmin, or credits.
4 Sygnaly Ostrzegawcze
4 Sygnaly Ostrzegawcze
Na co zwracac uwage podczas przegladu kodu
Te wzorce wskazuja na potencjalne podatnosci Improperly Controlled Modification of Dynamically-Determined Object Attributes. Szukaj ich podczas przegladow kodu i audytow bezpieczenstwa.
Django code that creates or updates models using all request data
without validation
django-mass-assignment
unsafe modification of class attributes or object __dict__ using
user input
python-class-pollution
serializers or forms that expose privilege-related fields without
marking them as read-only
python-serializer-privilege-exposure
... uses unvalidated user input in data parameter. Use explicit field whitelisting with validation.
prisma-mass-assignment
Entity properties assigned directly from user input without whitelisting. This allows unauthorized field modification.
typeorm-mass-assignment
Przeskanuj swój kod w poszukiwaniu Improperly Controlled Modification of Dynamically-Determined Object Attributes
Shoulder CLI znajduje podatne wzorce w całym Twoim kodzie.