python.django.security.injection.mass-assignment.mass-assignment

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
100,049
Download Count*
LGPL Commons Clause
License

Mass assignment detected. This can result in assignment to model fields that are unintended and can be exploited by an attacker. Instead of using '**request.$W', assign each field you want to edit individually to prevent mass assignment. You can read more about mass assignment at https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: mass-assignment
    languages:
      - python
    severity: WARNING
    message: Mass assignment detected. This can result in assignment to model fields
      that are unintended and can be exploited by an attacker. Instead of using
      '**request.$W', assign each field you want to edit individually to prevent
      mass assignment. You can read more about mass assignment at
      https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html.
    metadata:
      cwe:
        - "CWE-915: Improperly Controlled Modification of Dynamically-Determined
          Object Attributes"
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      owaspapi: "API6: Mass Assignment"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html
      category: security
      technology:
        - django
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mass Assignment
    pattern-either:
      - pattern: $MODEL.objects.create(**request.$W)
      - pattern: |
          $OBJ.update(**request.$W)
          ...
          $OBJ.save()

Examples

mass-assignment.py

from django.shortcuts import render
from myapp.models import Whatzit

# Test cases borrowed from https://gist.github.com/jsocol/3217262

def create_whatzit(request):
    # ruleid: mass-assignment
    Whatzit.objects.create(**request.POST)
    return render(request, 'created.html')

def update_whatzit(request, id):
    whatzit = Whatzit.objects.filter(pk=id)
    # ruleid: mass-assignment
    whatzit.update(**request.POST)
    whatzit.save()
    return render(request, 'saved.html')

def good_whatzit(request):
    # ok: mass-assignment
    Whatzit.objects.create(
        name=request.POST.get('name'),
        dob=request.POST.get('dob')
    )
    return render(request, 'created.html')