Fix Mass Assignment in Lumen

Mass Assignment is a critical vulnerability in Lumen/Eloquent applications where an attacker manipulates the HTTP request to include unexpected fields, such as 'is_admin' or 'role_id'. If the model lacks strict attribute protection, Eloquent blindly persists these fields to the database. As a researcher, I look for models with empty '$guarded' arrays or controllers that pass '$request->all()' directly into a 'create' or 'update' method.

The Vulnerable Pattern

// Model: User.php
class User extends Model {
    protected $guarded = []; // DANGEROUS: All fields are mass-assignable
}
// Controller: UserController.php
public function store(Request $request) {
// Attacker sends {“username”: “hacker”, “is_admin”: true}
return User::create($request->all());
}

The Secure Implementation

To remediate Mass Assignment, you must implement a strict allowlist. First, define the '$fillable' property in your Eloquent models to restrict which attributes can be modified via mass assignment methods. Avoid '$guarded' unless you are blacklisting sensitive fields, but '$fillable' is the industry standard for security. Second, never trust the raw request object; use '$request->only([...])' in your controllers to ensure that only validated, expected parameters reach the model layer. This creates two layers of defense: the controller filters the input, and the model rejects anything not explicitly permitted.

// Model: User.php
class User extends Model {
    // Whitelist approach: Only these fields can be mass-assigned
    protected $fillable = ['username', 'email', 'password'];
}
// Controller: UserController.php
public function store(Request $request) {
$this->validate($request, [
‘username’ => ‘required|string’,
‘email’ => ‘required|email’
]);
// Explicitly pull only what you need
$data = $request->only(['username', 'email', 'password']);
return User::create($data);
}