Fix Mass Assignment in Revel

Mass Assignment in Revel occurs when the framework's data binding engine automatically maps HTTP request parameters directly to sensitive internal models. In a 'hacker-style' over-posting attack, an adversary injects extra JSON keys or form fields (e.g., 'is_admin': true) that the developer didn't intend to expose, leading to privilege escalation or data corruption.

The Vulnerable Pattern

type User struct {
    ID       int
    Username string
    Password string
    IsAdmin  bool // Sensitive field
}
func (c App) UpdateUser() revel.Result {
var user User
// VULNERABLE: Binds everything from the request directly to the DB model
c.Params.BindJSON(&user)
db.Save(&user)
return c.RenderJSON(user)
}

The Secure Implementation

To kill Mass Assignment, stop binding request payloads directly to your database entities. Revel's BindJSON/Bind functions are 'blind'—they will populate any struct field that matches the incoming key. The solution is to use Data Transfer Objects (DTOs) or Input Structs that act as a strict whitelist. Only include fields in the DTO that the user is explicitly allowed to modify. After binding to the DTO, manually map the values to your model, ensuring sensitive fields like 'IsAdmin', 'Role', or 'Balance' remain untouched by the user's input.

type UserUpdateDTO struct {
    Username string `json:"username"`
    Password string `json:"password"`
}
func (c App) UpdateUser() revel.Result {
var input UserUpdateDTO
// SECURE: Bind only to a specific Input Struct (DTO)
if err := c.Params.BindJSON(&input); err != nil {
return c.RenderError(err)
}
// Fetch existing record and manually map allowed fields
var user User
db.First(&user, c.Params.Get("id"))
user.Username = input.Username
user.Password = Hash(input.Password)

db.Save(&user)
return c.RenderJSON(user)
}