php.laravel.security.laravel-dangerous-model-construction.laravel-dangerous-model-construction
returntocorpAuthor
unknown
Download Count*
License
Setting $guarded to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.
Run Locally
Run in CI
Defintion
rules:
- id: laravel-dangerous-model-construction
patterns:
- pattern: |
$guarded = [];
- pattern-inside: |
class $CLASS extends Model {
...
}
message: Setting `$guarded` to an empty array allows mass assignment to every
property in a Laravel model. This explicitly overrides Eloquent's
safe-by-default mass assignment protections.
languages:
- php
metadata:
category: security
technology:
- php
- laravel
- eloquent
references:
- https://laravel.com/docs/9.x/eloquent#allowing-mass-assignment
- https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
cwe:
- "CWE-915: Improperly Controlled Modification of Dynamically-Determined
Object Attributes"
owasp:
- A08:2021 - Software and Data Integrity Failures
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
severity: ERROR
Examples
laravel-dangerous-model-construction.php
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Model;
class Flight extends Model
{
/**
* The primary key associated with the table.
*
* @var string
*/
protected $primaryKey = 'flight_id';
/**
* The attributes that aren't mass assignable.
*
* @var array
*/
// ruleid: laravel-dangerous-model-construction
protected $guarded = [];
}
Short Link: https://sg.run/epXy