Fix Mass Assignment in Koa

Mass Assignment in Koa is a critical vulnerability where attackers inject unauthorized parameters into your database models. If you're blindly spreading `ctx.request.body` into your ORM or database queries, you're handing over control of your internal state. Attackers will use this to overwrite sensitive fields like `role`, `is_admin`, or `account_balance` to escalate privileges or bypass business logic.

The Vulnerable Pattern

const router = require('@koa/router')();
const User = require('./models/User');
// VULNERABLE: Blindly spreading the body into the update call
router.patch(‘/api/profile’, async (ctx) => {
const user = await User.findByPk(ctx.state.user.id);
// Attackers can send { “role”: “admin” } in the JSON body
await user.update(ctx.request.body);
ctx.body = { success: true };
});

The Secure Implementation

The vulnerability exists because the application trusts the client-provided JSON object as a source of truth for database updates. In the vulnerable snippet, any key-value pair sent in the request body is passed directly to the ORM's update method. To remediate this, you must implement strict allow-listing. By using a utility like lodash.pick or manually constructing a new object from specific request properties, you ensure that internal fields remain immutable via the public API. For production-grade security, integrate a schema validation library like Zod or Joi to enforce data types and strip unexpected properties at the middleware level.

const router = require('@koa/router')();
const User = require('./models/User');
const _ = require('lodash');
// SECURE: Explicitly allow-listing permitted fields
router.patch(‘/api/profile’, async (ctx) => {
const user = await User.findByPk(ctx.state.user.id);
// Use pick to extract only the fields a user should be able to change
const safeData = _.pick(ctx.request.body, [‘bio’, ‘displayName’, ‘timezone’]);
await user.update(safeData);
ctx.body = { success: true };
});