Mass Assignment in NodeJS
Using MongoDB
Vulnerable Example
This Express.js route allows for an application to be signed up to. The logic checks whether a user already exists with the specified username; otherwise, it creates the new user by passing the whole User
object passed from the request to the insert
function:
app.post('/signup', function (req, res) {
const {username} = req.body;
usersCollection.countDocuments({username}, function (err, count) {
if (count === 0) {
const newUser = req.body;
usersCollection.insert(newUser);
res.status(201);
} else {
res.status(409);
}
});
});
Assuming an HTTP form is like this:
<form method="POST" action="/signup">
<input name="username" />
<input name="password" />
</form>
And assuming that the web application uses an is_admin
field to implement a rudimentary access control mechanism, an attacker could craft a request adding the is_admin
POST field with value 1
.
Prevention
MongoDB does not provide any specific facility to prevent Mass Assignment; it is up to the developer to create the object to be inserted by only using a subset of all the fields that might be present in the request:
const {username, password} = req.body;
usersCollection.insert({username, password});
References
CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes