Mass Assignment in PHP
Laravel
Laravel allows for the use of user-provided objects for model creation in order to simplify the field-setting process. This functionality might introduce Mass Assignment vulnerabilities.
Vulnerable Example
In this snippet, a malicious user might send an is_admin
parameter through an HTTP request, which is then passed to your User
model’s create method, allowing the user to escalate themselves to an administrator.
class User extends Authenticatable {}
class RegistrationController extends Controller
{
public function store()
{
$u = new User(request()->all());
// ...
}
}
Prevention
One way to prevent overwriting properties is using the fillable
property to ensure only a specific set of properties can be updated.
class User extends Authenticatable
{
protected $fillable = [
'name', 'email', 'password',
];
}
References
Laravel - Eloquent: Mass Assignment
CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes