Mass Assignment

Learn about the pros and cons of mass assignment.

We'll cover the following

What is mass assignment?

Mass assignment is an incredibly useful tool. When used properly, it can speed up development time. But it can cause severe damage if used improperly. This functionality is usually included as part of an Object Relational Mapper (ORM) or Object Document Mapper (ODM). ORMs aren’t as popular in Node as they are in other languages, but they come up occasionally. ODMs are popular if you use MongoDB, CouchDB, or another schema-less document database.

In the examples below, we’ll use Mongoose. Mongoose is a MongoDB object modeling tool for Node.js…

Let’s say you have a User model that needs to be updated with several changes. You could update each field individually, or you could pass all of the changes from a form and update it in one go.

Your form might look like this:

<form action="...">
    <input name="first_name" />
    <input name="last_name" />
    <input name="email" />
</form>

Then you have back end code to process and save the form submission. That might look like this:

var User = mongoose.model('User');

var liz = new User(req.body);
liz.save();

Quick and easy, right? But what if a malicious user modifies the form, giving themselves administrator permissions?

<form action="...">
    <input type="text" name="first_name" />
    <input type="text" name="last_name" />
    <input type="text" name="email" />
    <input type="hidden" name="permissions" value="{'admin':'true'}" />
</form>

That same code would now change this user’s permissions erroneously.

Many developers and sites have fallen victim to this problem. A recent, well-known exploit of this vulnerability occured when a user exposed Ruby on Rails.

  • Egor Homakov initially reported to the Rails team that new Rails installs were insecure. His bug report was rejected.
  • The core team thought it was a minor concern that would be easier for new developers to leave enabled by default.
  • Homakov hilariously “hacked” the Rails GitHub account (GitHub is built on Rails) to give himself administrative rights to their repositories.

Needless to say, this proved his point, and now Rails, and GitHub, are protected from this attack by default.

Protecting your application

How do you protect your application against this? The exact implementation details depend on the framework or codebase you’re using, but you have a few options:

  • Turn off mass assignment completely; in Mongoose this is accomplished by using strict mode.
  • Whitelist the fields that are safe to be mass assigned, iterate over your body params, and only save the whitelisted fields.
  • Blacklist the fields that are not safe to be mass assigned, iterate over your body params, and only save the fields that are not blacklisted.

There is also a plugin for Mongoose specifically, Mongoose Mass Assign, that will assist with this.

Depending on your implementation, some of these may be used simultaneously. A simple whitelist implementation looks like this:

Get hands-on with 1200+ tech skills courses.