# Django Mass Assignment Vulnerability

- ID: django-mass-assignment
- Severity: HIGH
- CWE: Mass Assignment (CWE-915)
- Languages: Python
- Frameworks: django

## Description

Detects Django code that creates or updates models using all request data
without validation. This allows attackers to set arbitrary fields including
sensitive ones like is_admin, is_staff, or permissions.

NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST,
request.data). It does NOT flag request.GET or request.query_params, as those
are typically used for read-only filtering operations and cannot cause
mass assignment vulnerabilities in standard Django ORM usage.

## Remediation

Use ModelForm with explicit fields to whitelist allowed attributes.

```python
from django import forms
from .models import User

class UserForm(forms.ModelForm):
    class Meta:
        model = User
        fields = ['username', 'email', 'bio']

def create_user(request):
    form = UserForm(request.POST)
    if form.is_valid():
        form.save()
```

Learn more: https://shoulder.dev/learn/python/cwe-915/mass-assignment

## Documentation

[object Object]

## Related Rules

- **Prisma Mass Assignment Vulnerability** [CRITICAL]: 
- **Class/Attribute Pollution** [HIGH]: 
- **Serializer/Form Exposes Privilege Fields** [HIGH]: 
- **TypeORM Mass Assignment Vulnerability** [CRITICAL]: