Fix Mass Assignment in Flask

Mass Assignment in Flask is a critical vulnerability where an application takes user-provided data and binds it to internal models without filtering. If you are dumping 'request.json' or 'request.form' directly into an ORM constructor or update method, you are handing the attacker a direct pipeline to your database schema. This allows unauthorized modification of sensitive fields like 'is_admin', 'role', or 'balance'.

The Vulnerable Pattern

@app.route('/api/user/update', methods=['POST'])
def update_user():
    user = User.query.get(get_jwt_identity())
    # VULNERABLE: Blindly unpacking the entire JSON payload into the model
    user.update(**request.json)
    db.session.commit()
    return {'status': 'success'}

The Secure Implementation

The exploit leverages the '**' dictionary unpacking operator. An attacker sends a payload like '{"is_admin": true, "bio": "hacked"}'. Because the vulnerable code doesn't filter keys, SQLAlchemy updates the 'is_admin' column. To remediate, you must implement a strict whitelist. Never trust the client to define the scope of an update. Use explicit field mapping or a schema-enforcement library like Marshmallow to validate and filter the input DTO (Data Transfer Object) before it touches your persistence layer.

@app.route('/api/user/update', methods=['POST'])
def update_user():
    user = User.query.get(get_jwt_identity())
    data = request.json
    # SECURE: Explicitly whitelisting fields
    allowed_updates = ['bio', 'location', 'display_name']
    for field in allowed_updates:
        if field in data:
            setattr(user, field, data[field])
    db.session.commit()
    return {'status': 'success'}