Fix Mass Assignment in Gatsby

Gatsby Functions are the primary attack surface for Mass Assignment in the Gatsby ecosystem. When developers blindly sink the 'req.body' object into a database query or internal state, they create a critical vulnerability. Attackers can inject unauthorized fields—like 'role', 'isAdmin', or 'permissions'—into the request payload to escalate privileges or manipulate data they shouldn't touch.

The Vulnerable Pattern

export default async function handler(req, res) {
  if (req.method === 'POST') {
    // VULNERABLE: Directly spreading the request body into the database update
    // An attacker can send { "isAdmin": true } to elevate their account.
    const updatedUser = await db.user.update({
      where: { id: req.body.id },
      data: { ...req.body }
    });
    res.status(200).json(updatedUser);
  }
}

The Secure Implementation

The fix involves two core principles: Explicit Allowlisting and Source of Truth verification. Instead of using the spread operator (...) to dump the entire request body into your data layer, you must explicitly destructure only the fields the user is permitted to modify (e.g., 'displayName' and 'bio'). Furthermore, identifiers like 'id' should never be accepted from the request body if they dictate which record is modified; instead, pull them from a validated session or JWT to prevent Insecure Direct Object Reference (IDOR) combined with Mass Assignment.

export default async function handler(req, res) {
  if (req.method === 'POST') {
    // SECURE: Use an explicit allowlist via destructuring
    const { displayName, bio } = req.body;
// Ensure the ID comes from a verified session, not the body
const userId = req.auth.sub;

const updatedUser = await db.user.update({
  where: { id: userId },
  data: {
    displayName,
    bio
  }
});
res.status(200).json(updatedUser);
}
}