GuardAPI Logo
GuardAPI

Fix Mass Assignment in Spiral

Mass Assignment in Spiral's Cycle ORM occurs when an attacker manipulates the HTTP request to inject values into unexpected entity fields. If you are blindly hydrating entities from raw request data, you are likely exposing sensitive columns like 'is_admin', 'balance', or 'id' to unauthorized modification.

The Vulnerable Pattern

public function update(User $user, Request $request): void {
    // DANGEROUS: Blindly filling the entity from all request data
    $user->fill($request->data());
    $this->entities->save($user);
}

The Secure Implementation

The vulnerability stems from the 'fill()' method or direct array-to-entity hydration which lacks a whitelist. To mitigate this in Spiral, implement the 'Spiral\Filters\Filter' component. This acts as a strongly-typed Data Transfer Object (DTO) that maps specific request keys to properties. By manually assigning verified filter values to the entity, you ensure that even if an attacker sends 'is_admin=1' in the POST body, it is ignored because it is not defined in the Filter schema.

namespace App\Filter;

use Spiral\Filters\Filter;


class UserUpdateFilter extends Filter {
protected const SCHEMA = [
‘username’ => ‘data:username’,
‘email’    => ‘data:email’
];
}


// In Controller
public function update(User $user, UserUpdateFilter $filter): void {
// SECURE: Only properties defined in the Filter are used
$user->username = $filter->username;
$user->email = $filter->email;
$this->entities->save($user);
}

System Alert • ID: 7827
Target: Spiral API
Potential Vulnerability

Your Spiral API might be exposed to Mass Assignment

74% of Spiral apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X