csharp.dotnet.security.audit.mass-assignment.mass-assignment
semgrep
Author
unknown
Download Count*
License
Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.
Run Locally
Run in CI
Defintion
rules:
- id: mass-assignment
message: Mass assignment or Autobinding vulnerability in code allows an attacker
to execute over-posting attacks, which could create a new parameter in the
binding request and manipulate the underlying object in the application.
severity: WARNING
metadata:
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
category: security
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
owasp:
- A08:2021 - Software and Data Integrity Failures
references:
- https://cwe.mitre.org/data/definitions/915.html
- https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md
subcategory:
- vuln
technology:
- .net
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mass Assignment
languages:
- csharp
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: |
public IActionResult $METHOD(..., $TYPE $ARG, ...){
...
}
- pattern: |
public ActionResult $METHOD(..., $TYPE $ARG, ...){
...
}
- pattern-inside: |
using Microsoft.AspNetCore.Mvc;
...
- pattern-not: |
public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){
...
}
- pattern-not: |
public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){
...
}
- focus-metavariable: $ARG
pattern-sinks:
- pattern: View(...)
Examples
mass-assignment.cs
using Microsoft.AspNetCore.Mvc;
public IActionResult Create(UserModel model)
{
context.SaveChanges();
// ruleid: mass-assignment
return View("Index", model);
}
public IActionResult Create([Bind(nameof(UserModel.Name))] UserModel model)
{
context.SaveChanges();
// ok: mass-assignment
return View("Index", model);
}
[HttpGet("/")]
public IActionResult Index()
{
// ok: mass-assignment
return NoContent();
}
Short Link: https://sg.run/7B3e