GuardAPI Logo
GuardAPI

Fix Mass Assignment in Chi

Mass Assignment in Go/Chi occurs when untrusted JSON/Form input is decoded directly into a database model. Attackers exploit this by 'over-posting' extra fields—like 'is_admin' or 'balance'—that the developer didn't intend to be mutable. If your API binds request bodies directly to GORM or SQLx structs, you're handing the keys to the kingdom to any script kiddie with Burp Suite.

The Vulnerable Pattern

type User struct {
    ID        uint   `json:"id"` 
    Username  string `json:"username"` 
    IsAdmin   bool   `json:"is_admin"` 
}

func UpdateHandler(w http.ResponseWriter, r *http.Request) {
var user User
// VULNERABLE: Attacker sends {“username”: “hacker”, “is_admin”: true}
// json.Decode will happily set IsAdmin to true.
if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
http.Error(w, err.Error(), 400)
return
}
db.Save(&user)
}

The Secure Implementation

To kill Mass Assignment, implement the DTO (Data Transfer Object) pattern. Instead of using your DB model for input binding, create a dedicated struct containing only the fields the user is allowed to change. By decoding into this 'clean' struct and then manually mapping those values to your model, you create a whitelist that ignores any malicious fields injected into the request body.

type UserUpdateDTO struct {
    Username string `json:"username"` 
    Email    string `json:"email"` 
}

func UpdateHandler(w http.ResponseWriter, r *http.Request) {
var input UserUpdateDTO
// SECURE: Only fields defined in the DTO can be populated
if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
http.Error(w, “Invalid input”, 400)
return
}


userId := chi.URLParam(r, "id")
// Explicitly update only the permitted fields
db.Model(&User{}).Where("id = ?", userId).Updates(User{
    Username: input.Username,
})


}

System Alert • ID: 5012
Target: Chi API
Potential Vulnerability

Your Chi API might be exposed to Mass Assignment

74% of Chi apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X