Fix Mass Assignment in Express

Mass Assignment occurs when an application takes user-supplied input (usually from req.body) and blindly maps it to internal database models or objects. In Express, this is a common vector for privilege escalation. If an attacker sees a POST/PUT request updating a profile, they can inject properties like 'isAdmin: true' or 'role: superuser'. If the backend doesn't filter the input, the ORM will happily overwrite those sensitive fields in the database.

The Vulnerable Pattern

app.put('/api/user/update', async (req, res) => {
  // CRITICAL VULNERABILITY: Blindly passing req.body to the database
  // An attacker can send { "isAdmin": true } to elevate privileges
  const user = await User.findByPk(req.user.id);
  await user.update(req.body);
  res.send({ status: 'success' });
});

The Secure Implementation

The fix relies on 'Input Filtering' or 'Allow-listing'. Instead of passing the entire req.body object to your ORM (Sequelize, Mongoose, etc.), you must explicitly extract only the fields the user is permitted to change. By using ES6 destructuring or a utility like lodash.pick(), you create a 'Safe Data Transfer Object' (DTO). This ensures that even if a malicious actor probes your API with hidden administrative parameters, the application logic remains blind to them, preventing unauthorized data modification.

app.put('/api/user/update', async (req, res) => {
  // SECURE: Use destructuring or an allow-list to define permitted fields
  const { displayName, bio, timezone } = req.body;
  const safeData = { displayName, bio, timezone };
const user = await User.findByPk(req.user.id);
// Only the specified fields will be updated; any injected ‘role’ or ‘isAdmin’ fields are ignored
await user.update(safeData);
res.send({ status: ‘success’ });
});