# Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. **Stack:** Python - Prevalence: Wysoka Często wykorzystywana - Impact: Krytyczny 2 reguł o krytycznym poziomie - Prevention: Udokumentowane 5 przykładów poprawek **OWASP:** Injection (A03:2021-Injection) - #3 ## Description If the object contains attributes that are not intended to be modified, then an attacker can use the vulnerability to overwrite critical application values, gain privileges, or bypass security checks. ## Prevention Strategie zapobiegania dla Mass Assignment oparte na 3 regułach detekcji Shoulder. ### Python Use ModelForm with explicit fields whitelist instead of **kwargs or exclude Whitelist allowed attributes before using setattr() or __dict__.update() Use explicit field lists in serializers and mark privilege fields as read-only ## Warning Signs - [HIGH] Django code that creates or updates models using all request data without validation - [HIGH] unsafe modification of class attributes or object __dict__ using user input - [HIGH] serializers or forms that expose privilege-related fields without marking them as read-only ## Consequences - Uzyskanie uprawnień - Obejście mechanizmu ochrony - Modyfikacja danych aplikacji ## Mitigations - Do mass assignment stosuj listę dozwolonych atrybutów - Wdroż prawidłową walidację wejścia, by odrzucać nieoczekiwane atrybuty - Stosuj obiekty DTO (Data Transfer Objects), aby kontrolować, które pola mogą być modyfikowane ## Detection - Total rules: 5 - Critical: 2 - Languages: python, javascript, typescript ## Rules by Language ### Python (3 rules) - **Django Mass Assignment Vulnerability** [HIGH]: Detects Django code that creates or updates models using all request data without validation. This allows attackers to set arbitrary fields including sensitive ones like is_admin, is_staff, or permissions. NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST, request.data). It does NOT flag request.GET or request.query_params, as those are typically used for read-only filtering operations and cannot cause mass assignment vulnerabilities in standard Django ORM usage. - Remediation: Use ModelForm with explicit fields to whitelist allowed attributes. ```python from django import forms from .models import User class UserForm(forms.ModelForm): class Meta: model = User fields = ['username', 'email', 'bio'] def create_user(request): form = UserForm(request.POST) if form.is_valid(): form.save() ``` Learn more: https://shoulder.dev/learn/python/cwe-915/mass-assignment - **Class/Attribute Pollution** [HIGH]: Detects unsafe modification of class attributes or object __dict__ using user input. - Remediation: Whitelist allowed attributes before using setattr. ```python ALLOWED_ATTRS = {"username", "email"} if key in ALLOWED_ATTRS: setattr(user, key, value) ``` Learn more: https://shoulder.dev/learn/python/cwe-915/class-pollution - **Serializer/Form Exposes Privilege Fields** [HIGH]: Detects serializers or forms that expose privilege-related fields without marking them as read-only. - Remediation: Use explicit field lists and mark privilege fields as read-only. ```python class Meta: fields = ['username', 'email'] read_only_fields = ['is_staff', 'is_superuser'] ``` Learn more: https://shoulder.dev/learn/python/cwe-915/serializer-privilege-exposure