RSTR-ORM-001 — Node ORM Model.create(req.body)

Summary

A Node ORM (Mongoose, Sequelize, Prisma, etc.) is asked to create or update a record using the entire request body as the data object. Mass-assignment: every field name the attacker sends becomes a field in the database write. Submit {name: "alice", isAdmin: true, role: "admin"} and you get an admin account.

Severity

High.

Languages

JavaScript / TypeScript.

How to fix it

Allow-list the fields explicitly. Three idiomatic forms:

lodash.pick:

import _ from 'lodash';
const data = _.pick(req.body, ['name', 'email']);
await User.create(data);

Schema validation (zod):

import { z } from 'zod';
const Body = z.object({ name: z.string(), email: z.string().email() }).strict();
const data = Body.parse(req.body);
await User.create(data);

Prisma — only pass the fields explicitly:

await prisma.user.create({
  data: { name: req.body.name, email: req.body.email },
});

References

• OWASP: Mass assignment cheat sheet
• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
• GitHub-Rails mass-assignment incident (2012)