Fix Mass Assignment in Masonite
Mass assignment in Masonite occurs when an application accepts a user-provided dictionary and passes it directly to a Model's create or update method without filtering. This allows attackers to overwrite sensitive fields—like 'is_admin', 'role', or 'balance'—by simply appending those keys to the JSON or form-data payload.
The Vulnerable Pattern
# Controller def store(self, request: Request): # CRITICAL: This allows an attacker to pass {'is_admin': True} in the request user = User.create(request.all()) return userModel
class User(Model): # No protection defined pass
The Secure Implementation
To kill mass assignment, implement a two-layer defense. First, define the '__fillable__' attribute in your Masonite Model to whitelist only non-sensitive columns; this prevents the ORM from mapping unauthorized keys to the database. Second, in your Controller, never use 'request.all()'. Use 'request.only()' to strictly enforce that only the expected parameters reach the business logic. This ensures that even if a developer forgets to update the model whitelist, the entry point remains locked down.
# Model class User(Model): # Define a whitelist of attributes that can be mass-assigned __fillable__ = ['username', 'email', 'password']Controller
def store(self, request: Request): # Explicitly filter inputs even if the model has fillable user_data = request.only(‘username’, ‘email’, ‘password’) user = User.create(user_data) return user
Your Masonite API
might be exposed to Mass Assignment
74% of Masonite apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.