Fix Mass Assignment in Meteor

Mass Assignment in Meteor is a critical vulnerability where developers allow client-supplied objects to be directly persisted to the database. In Meteor's context, this usually happens within Methods where an attacker can inject sensitive fields like 'isAdmin', 'role', or 'balance' into a payload, bypassing intended application logic. If you're passing a raw object from a 'Meteor.call' into a Mongo update modifier, you're likely pwned.

The Vulnerable Pattern

Meteor.methods({
  'user.updateProfile'(userData) {
    // VULNERABLE: Direct injection of client-controlled object
    // Attacker sends: { "bio": "hacker", "isAdmin": true }
    Meteor.users.update(this.userId, { $set: userData });
  }
});

The Secure Implementation

To kill Mass Assignment, you must implement strict input validation and explicit field whitelisting. First, use the 'check' package to enforce data types and ensure no unexpected keys exist in the object. Second, never pass the entire argument object to the database; instead, destructure only the specific fields the user is authorized to change. This ensures that even if an attacker appends 'isAdmin: true' to their request, the server-side logic ignores it entirely.

import { check, Match } from 'meteor/check';
Meteor.methods({
‘user.updateProfile’(userData) {
if (!this.userId) throw new Meteor.Error(‘403’, ‘Unauthorized’);
// 1. Strict Schema Validation
check(userData, {
  bio: Match.Maybe(String),
  location: Match.Maybe(String)
});

// 2. Explicit Whitelisting (Destructuring)
const { bio, location } = userData;

// 3. Controlled Update
Meteor.users.update(this.userId, {
  $set: {
    bio,
    location,
    updatedAt: new Date()
  }
});
}
});