Fix Mass Assignment in LoopBack

Mass assignment in LoopBack 4 occurs when an attacker manipulates the HTTP request body to include fields they shouldn't be able to modify, such as 'isAdmin', 'role', or 'balance'. If the controller blindly passes the request body to the repository's create or update methods, the underlying database will persist these unauthorized changes. It's a classic over-posting vulnerability that leads to privilege escalation.

The Vulnerable Pattern

@post('/users')
async create(@requestBody() user: User): Promise {
  // VULNERABLE: Directly passing the entire request body to the repository.
  // An attacker can send { "username": "hacker", "role": "admin" }.
  return this.userRepository.create(user);
}

The Secure Implementation

The fix involves two layers of defense. First, use 'getModelSchemaRef' with the 'exclude' or 'partial' options to define exactly which fields are acceptable in the OpenAPI specification. Second, use TypeScript utility types like 'Omit' or 'Pick' on the controller method argument. This ensures that even if a malicious payload bypasses the initial validation, the logic layer only processes the intended properties, effectively neutralizing the mass assignment attempt.

@post('/users')
async create(
  @requestBody({
    content: {
      'application/json': {
        schema: getModelSchemaRef(User, {
          title: 'NewUser',
          exclude: ['id', 'role', 'isAdmin'], // Whitelisting via schema exclusion
        }),
      },
    },
  })
  user: Omit,
): Promise {
  // SECURE: Only the permitted fields are accepted and passed to the repository.
  return this.userRepository.create(user);
}