API3:2023 Broken Object Property Level Authorization
Mass-assignment: the handler binds the request body straight into a model object, so a client can write privileged fields (e.g. is_admin: true) that the API surface never intended to accept.
What Vulkro detects
Vulkro looks for unbounded body-to-model assignments: Model(**request.json), Object.assign(user, req.body), setattr(model, k, v) for k,v in body.items(), and equivalents across frameworks. Findings list the bound model and the missing allowlist.
Non-compliant code (examples)
Express — unbounded body bind
app.post('/users/:id', async (req, res) => {
const updates = req.body; // accepts `is_admin: true` if model has the field
await User.update(req.params.id, updates);
res.sendStatus(204);
});
Compliant code (examples)
Express — allowlist of writable fields
const ALLOWED = ['display_name', 'avatar_url'];
app.post('/users/:id', async (req, res) => {
const updates = Object.fromEntries(
Object.entries(req.body).filter(([k]) => ALLOWED.includes(k))
);
await User.update(req.params.id, updates);
res.sendStatus(204);
});
See also
- Confidence model - what
High,Medium, andLowmean for findings in this category. - Safety - what Vulkro does and does not access on your machine.
References
This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.