igbuend/mass-assignment-anti-pattern
skills/mass-assignment-anti-pattern/SKILL.md
Security anti-pattern for mass assignment vulnerabilities (CWE-915). Use when generating or reviewing code that creates or updates objects from user input, form handling, or API request processing. Detects uncontrolled property binding enabling privilege escalation.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard mass-assignment-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:19 PM41.7s1 file scanned
SKILL.md
- name:
- mass-assignment-anti-pattern
- description:
- Security anti-pattern for mass assignment vulnerabilities (CWE-915). Use when generating or reviewing code that creates or updates objects from user input, form handling, or API request processing. Detects uncontrolled property binding enabling privilege escalation.
Mass Assignment Anti-Pattern
Severity: High
Summary
Mass assignment (autobinding) occurs when frameworks automatically bind HTTP parameters to object properties without filtering. Attackers inject unauthorized properties (isAdmin: true) to escalate privileges or modify protected fields. This vulnerability enables complete access control bypass through parameter injection.
The Anti-Pattern
Never use user-provided data dictionaries to update models without filtering for allowed properties. Use explicit allowlists.
BAD Code Example
# VULNERABLE: Incoming request data used directly to update user model
from flask import request
from db import User, session
@app.route("/api/users/me", methods=["POST"])
def update_profile():
# User already authenticated
user = get_current_user()
# Attacker crafts JSON body:
# {
# "email": "[email protected]",
# "is_admin": true
# }
request_data = request.get_json()
# ORMs allow updating objects from dictionaries
# If User model has `is_admin` property, it updates here
for key, value in request_data.items():
setattr(user, key, value) # Direct, unsafe assignment
session.commit()
return {"message": "Profile updated."}
# Attacker just became administrator
GOOD Code Example
# SECURE: Use DTO or explicit allowlist to control updatable fields
from flask import request
from db import User, session
# Option 1: Allowlist of fields
ALLOWED_UPDATE_FIELDS = {"email", "first_name", "last_name"}
@app.route("/api/users/me", methods=["POST"])
def update_profile_allowlist():
user = get_current_user()
request_data = request.get_json()
for key, value in request_data.items():
# Update only if in explicit allowlist
if key in ALLOWED_UPDATE_FIELDS:
setattr(user, key, value)
session.commit()
return {"message": "Profile updated."}
# Option 2 (Better): Use DTO or schema for validation
from pydantic import BaseModel, EmailStr
class UserUpdateDTO(BaseModel):
# Defines *only* submittable fields
# `is_admin` not included, can't be set by user
email: EmailStr
first_name: str
last_name: str
@app.route("/api/users/me/dto", methods=["POST"])
def update_profile_dto():
user = get_current_user()
try:
# Pydantic raises validation error if extra fields present
update_data = UserUpdateDTO(**request.get_json())
except ValidationError as e:
return {"error": str(e)}, 400
user.email = update_data.email
user.first_name = update_data.first_name
user.last_name = update_data.last_name
session.commit()
return {"message": "Profile updated."}
Detection
- Find direct model updates from request data: Grep for unsafe binding:
rg 'setattr.*request\.|\.update\(request\.' --type pyrg 'Object\.assign.*req\.body|\.save\(req\.body' --type jsrg 'BeanUtils\.copyProperties|ModelMapper' --type java
- Identify blocklist approaches (insecure): Find key deletion patterns:
rg 'del.*\[.*(admin|role|permission)|\.pop\(.*(admin|role)' --type pyrg 'delete.*\.(isAdmin|role)|omit\(' --type js- Blocklists are insecure - search for allowlist patterns instead
- Test for mass assignment: Send malicious parameters:
curl -X POST /api/users -d '{"email":"[email protected]","isAdmin":true}'- Try:
isAdmin,role,permissions,accountBalance,verified
- Check for DTO usage: Verify proper input validation:
rg 'class.*DTO|@Valid|validator\.validate' --type py --type java
Prevention
- [ ] Use allowlists: Never use blocklists. Always use allowlists of user-settable properties
- [ ] Use DTOs or schemas: Strictly define expected request body. Most robust solution
- [ ] Set sensitive properties explicitly: Outside mass assignment (e.g.,
new_user.is_admin = False) - [ ] Know framework features: Some frameworks include mass assignment protections. Use them correctly
Related Security Patterns & Anti-Patterns
- Excessive Data Exposure Anti-Pattern: Inverse of mass assignment—returns too much data instead of accepting too much
- Missing Authentication Anti-Pattern: Unauthenticated mass assignment allows anyone to modify objects
References
- OWASP Top 10 A01:2025 - Broken Access Control
- OWASP GenAI LLM06:2025 - Excessive Agency
- OWASP API Security API3:2023 - Broken Object Property Level Authorization
- OWASP Mass Assignment
- CWE-915: Mass Assignment
- CAPEC-114: Authentication Abuse
- PortSwigger: Api Testing
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026