Fix Mass Assignment in RedwoodJS
Mass Assignment in RedwoodJS occurs when unvalidated input from the GraphQL layer is spread directly into Prisma's database methods. In a typical Redwood service, if you pass the entire 'input' object to 'db.model.update', an attacker can inject unauthorized fields—like 'isAdmin' or 'role'—into the payload, escalating privileges or corrupting internal state.
The Vulnerable Pattern
export const updateUser = ({ id, input }) => {
// VULNERABLE: Blindly spreading input allows field injection
return db.user.update({
data: input,
where: { id },
})
}The Secure Implementation
To kill Mass Assignment, implement strict field whitelisting at the Service layer. Never trust the SDL to filter input; while the GraphQL schema defines what is 'exposed', it doesn't prevent a malicious client from sending additional properties that Prisma might recognize. By explicitly destructuring the input object, you ensure only authorized attributes reach the 'data' property of the Prisma client, effectively neutralizing payload injection.
export const updateUser = ({ id, input }) => { // SECURE: Destructure input to whitelist specific fields const { name, email, bio } = input
return db.user.update({ data: { name, email, bio }, where: { id }, }) }
Your RedwoodJS API
might be exposed to Mass Assignment
74% of RedwoodJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.