csharp.dotnet.security.audit.mass-assignment.mass-assignment

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mass-assignment
    message: Mass assignment or Autobinding vulnerability in code allows an attacker
      to execute over-posting attacks, which could create a new parameter in the
      binding request and manipulate the underlying object in the application.
    severity: WARNING
    metadata:
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      category: security
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      references:
        - https://cwe.mitre.org/data/definitions/915.html
        - https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md
      subcategory:
        - vuln
      technology:
        - .net
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment
    languages:
      - csharp
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern: |
                  public IActionResult $METHOD(..., $TYPE $ARG, ...){
                    ...
                  }
              - pattern: |
                  public ActionResult $METHOD(..., $TYPE $ARG, ...){
                    ...
                  }
          - pattern-inside: |
              using Microsoft.AspNetCore.Mvc;
              ...
          - pattern-not: |
              public IActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){
                ...
              }
          - pattern-not: |
              public ActionResult $METHOD(..., [Bind(...)] $TYPE $ARG, ...){
                ...
              }
          - focus-metavariable: $ARG
    pattern-sinks:
      - pattern: View(...)

Examples

mass-assignment.cs

using Microsoft.AspNetCore.Mvc;

public IActionResult Create(UserModel model)
{
    context.SaveChanges();
    // ruleid: mass-assignment
    return View("Index", model);
}

public IActionResult Create([Bind(nameof(UserModel.Name))] UserModel model)
{
    context.SaveChanges();
    // ok: mass-assignment
    return View("Index", model);
}

[HttpGet("/")]
public IActionResult Index()
{
    // ok: mass-assignment
    return NoContent();
}