Blindly mapping JSON payloads directly to your database records.
Mass Assignment (also known as Auto-Binding or Object Injection) is a vulnerability where an application automatically maps user input fields directly onto internal objects or database models. If an attacker submits extra, hidden fields (like `is_admin=true`), the framework will happily overwrite the internal properties, leading to privilege escalation or data corruption.
To prevent Mass Assignment, you must explicitly define which fields are allowed to be updated. The most robust way to do this is using Data Transfer Objects (DTOs) or Explicit Whitelisting.
# VULNERABLE: Mass Assignment
@app.route("/update_profile", methods=["POST"])
def update_profile():
user = User.get(current_user.id)
# DANGER: Overwrites every key in the user object with the JSON payload.
# What if the JSON includes {"is_admin": true}?
user.update(request.json)
user.save()
# SECURE: Explicit Assignment (Whitelisting)
@app.route("/update_profile", methods=["POST"])
def update_profile():
user = User.get(current_user.id)
payload = request.json
# We explicitly map ONLY the safe fields.
if "username" in payload: user.username = payload["username"]
if "bio" in payload: user.bio = payload["bio"]
user.save()
GitHub was historically compromised by a Mass Assignment vulnerability. A researcher found that by modifying the POST request when updating an SSH key, they could inject a `public_key` array containing a second key, and bind it to a different user's account. Because Rails automatically mapped the array without checking, the researcher successfully injected their SSH key into the Rails core team's repository.
What is the most secure architectural pattern for preventing Mass Assignment?