Fix Mass Assignment in Sails

Mass Assignment in Sails.js occurs when the Waterline ORM consumes the entire `req.body` object without filtering. This allows an attacker to inject unauthorized fields—such as `role: 'admin'` or `balance: 99999`—into a database record, leading to privilege escalation or data corruption.

The Vulnerable Pattern

/**
 * VULNERABLE: The 'Lazy Developer' Pattern
 * Directly passing req.body to the ORM allows any field to be overwritten.
 */
async updateProfile(req, res) {
  const updatedUser = await User.updateOne({ id: req.me.id })
    .set(req.body);
return res.ok(updatedUser);
}

The Secure Implementation

To kill Mass Assignment, you must treat all incoming request data as malicious. The vulnerable snippet is a security nightmare because it maps the HTTP payload directly to your persistence layer. By using `_.pick()`, you create a strict whitelist, ensuring that internal fields like `isAdmin`, `password`, or `id` remain untouched regardless of what the attacker sends. Additionally, ensure Sails Blueprints are disabled or protected by policies, as default blueprint routes are inherently susceptible to this vulnerability.

/**
 * SECURE: The 'Whitelist' Pattern
 * Explicitly pick permitted fields using Lodash or destructuring.
 */
async updateProfile(req, res) {
  // Define a strict whitelist of editable attributes
  const allowedFields = ['bio', 'location', 'preferredLanguage'];
  const safeData = _.pick(req.body, allowedFields);
if (Object.keys(safeData).length === 0) {
return res.badRequest(‘No valid fields provided.’);
}
const updatedUser = await User.updateOne({ id: req.me.id })
.set(safeData);
return res.ok(updatedUser);
}