Fix Mass Assignment in Rocket

Mass assignment in Rocket occurs when untrusted input is bound directly to internal models. In the context of Rust, this typically happens when you deserialize a request body directly into a struct that shares fields with your database schema or internal state. If your struct includes sensitive fields like 'role', 'is_admin', or 'balance', an attacker can overwrite these values by simply including them in the JSON payload. Stop treating your database models as public interfaces.

The Vulnerable Pattern

#[derive(Deserialize, Insertable)]
#[serde(crate = "rocket::serde")]
struct User {
    pub username: String,
    pub is_admin: bool, // VULNERABILITY: Attackers can set this to true
}
#[post(“/profile/update”, data = “<user_data>”)]
fn update_profile(user_data: Json) {
// The attacker sends { “username”: “hacker”, “is_admin”: true }
// This object is saved directly to the database.
save_to_db(user_data.into_inner());
}

The Secure Implementation

The fix implements the DTO (Data Transfer Object) pattern. By creating a specific struct (UpdateUserRequest) that only contains the fields a user is permitted to change, you create a whitelist at the type level. Even if an attacker injects 'is_admin' into the JSON payload, the Serde deserializer will ignore it because the field does not exist in the DTO. Always manually map fields from your request guards to your persistence models to maintain strict control over state transitions.

#[derive(Deserialize)]
#[serde(crate = "rocket::serde")]
struct UpdateUserRequest {
    pub username: String,
    // sensitive fields are omitted here
}
struct User {
pub username: String,
pub is_admin: bool,
}
#[post(“/profile/update”, data = "")]
fn update_profile(input: Json) {
let update = input.into_inner();
let current_user = get_current_user();
let updated_model = User {
    username: update.username,
    is_admin: current_user.is_admin, // Explicitly preserve or set internal state
};

save_to_db(updated_model);
}