php.laravel.security.laravel-dangerous-model-construction.laravel-dangerous-model-construction

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Setting $guarded to an empty array allows mass assignment to every property in a Laravel model. This explicitly overrides Eloquent's safe-by-default mass assignment protections.

Run Locally

Run in CI

Defintion

rules:
  - id: laravel-dangerous-model-construction
    patterns:
      - pattern: |
          $guarded = [];
      - pattern-inside: |
          class $CLASS extends Model {
            ...
          }
    message: Setting `$guarded` to an empty array allows mass assignment to every
      property in a Laravel model. This explicitly overrides Eloquent's
      safe-by-default mass assignment protections.
    languages:
      - php
    metadata:
      category: security
      technology:
        - php
        - laravel
        - eloquent
      references:
        - https://laravel.com/docs/9.x/eloquent#allowing-mass-assignment
        - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment
    severity: ERROR

Examples

laravel-dangerous-model-construction.php

<?php
 
namespace App\Models;
 
use Illuminate\Database\Eloquent\Model;
 
class Flight extends Model
{
    /**
     * The primary key associated with the table.
     *
     * @var string
     */
    protected $primaryKey = 'flight_id';

    /**
    * The attributes that aren't mass assignable.
    *
    * @var array
    */
    // ruleid: laravel-dangerous-model-construction
    protected $guarded = [];
}