Fix Mass Assignment in ElysiaJS

Mass Assignment in ElysiaJS is a critical vulnerability where untrusted input is directly mapped to internal models. In a Bun/Elysia environment, this typically occurs when the 'body' object is spread into an ORM (Prisma/Drizzle) call, allowing attackers to escalate privileges by injecting fields like 'role', 'isAdmin', or 'balance'.

The Vulnerable Pattern

import { Elysia } from 'elysia';
new Elysia()
.patch(‘/profile/update’, async ({ body, db }) => {
// VULNERABLE: Blindly spreading the body object allows
// an attacker to send { “role”: “admin” } and overwrite the DB.
return await db.user.update({
where: { id: 1 },
data: { …body }
});
})
.listen(3000);

The Secure Implementation

The fix utilizes Elysia's built-in schema validation (TypeBox). By explicitly defining the 'body' schema, you implement a strict whitelist. Any properties sent by the attacker that are not 'display_name' or 'bio' are rejected or stripped by the framework before reaching your business logic. This eliminates the risk of property injection and ensures that sensitive internal state remains immutable from the client-side.

import { Elysia, t } from 'elysia';
new Elysia()
.patch(‘/profile/update’, async ({ body, db }) => {
// SECURE: Elysia automatically strips fields not defined in the schema
// and ensures type safety before the handler is even executed.
return await db.user.update({
where: { id: 1 },
data: body
});
}, {
body: t.Object({
display_name: t.String(),
bio: t.Optional(t.String())
})
})
.listen(3000);