What is mass assignment?
In order to reduce the work for developers, many frameworks provide convenient mass-assignment functionality. This lets developers inject an entire set of user-entered data from a form directly into an object or database. Without it, developers would be forced to tediously add code specifically for each field of data, cluttering the code base with repeated form mapping code. I said by rope security.
Let’s understand in easy word with one example suppose in application there is sign up page and User has two roles normal user and Admin User. so, how to find user that user is admin or not. for that some time framework or some developer do like dynamically set flag to admin in source code it is like hidden field in source code.
it can cause severe damage if used improperly.This functionality is usually included as part of an Object Relational Mapper (ORM) or Object Document Mapper (ODM). ORMs aren’t as popular in Node as they are in other languages, but they come up occasionally. ODMs are popular if you use MongoDB, CouchDB, or another schema-less document database.
Let’s say you have a
User model that needs to be updated with several changes. You could update each field individually, or you could pass all of the changes from a form and update it in one go.
take previous code for for frontend..,
in this example suppose developer is using Mass Assignment for Admin using hidden parameter and if normal user add that hidden flag in update form then normal user can also get admin privilege right.
this happened in many web application and hacked.
- Turn off mass assignment completely; in Mongoose this is accomplished by using strict mode.
- Whitelist the fields that are safe to be mass assigned, iterate over your body params, and only save the whitelisted fields.
- Blacklist the fields that are not safe to be mass assigned, iterate over your body params, and only save the fields that are not blacklisted.
There is also a plugin for Mongoose specifically, Mongoose Mass Assign, that will assist with this.
here we take “first_name”, “last_name” and “id” for whitelist because that fields are not vulnerable.
The choice is yours, depending on which is easier in your application. so, if you are using other library so you have a similar method of whitelisting or blacklisting mass assignable fields. If you use a custom library/framework, start implementing whitelists and blacklists!