GuardAPI Logo
GuardAPI

Fix Mass Assignment in Quarkus

Mass Assignment, or Overposting, occurs when a Quarkus application binds HTTP request parameters directly to Hibernate/Panache entities without filtering. An attacker can manipulate sensitive fields—like 'role', 'isAdmin', or 'balance'—by including them in the JSON payload, even if the UI doesn't provide those fields. This is a common entry point for privilege escalation.

The Vulnerable Pattern

@Path("/users")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class UserResource {

@POST
@Transactional
public Response createUser(User user) {
    // VULNERABLE: Direct binding of request body to Entity
    // Attacker can send {"username": "hacker", "role": "ADMIN"}
    user.persist();
    return Response.status(201).entity(user).build();
}


}

The Secure Implementation

The fix involves decoupling the Persistence Layer from the API Layer. By using Data Transfer Objects (DTOs) or Java Records, you create a strict whitelist of acceptable fields. In the secure example, even if an attacker sends a 'role' field in the JSON, the 'UserRegistrationDTO' will ignore it because it isn't defined in the record. This ensures that internal state transitions (like assigning roles) remain under the control of the server-side business logic, not the client-side input.

@Path("/users")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public class UserResource {

// Use a Record or DTO to define the allowed input schema
public record UserRegistrationDTO(String username, String email) {}

@POST
@Transactional
public Response createUser(UserRegistrationDTO dto) {
    User user = new User();
    user.username = dto.username();
    user.email = dto.email();
    // Explicitly set sensitive fields in the backend logic
    user.role = "USER";
    
    user.persist();
    return Response.status(201).entity(user).build();
}


}

System Alert • ID: 9750
Target: Quarkus API
Potential Vulnerability

Your Quarkus API might be exposed to Mass Assignment

74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X