Skills

mass-assignment-anti-pattern

Installation
SKILL.md

Mass Assignment Anti-Pattern

Severity: High

Summary

Mass assignment (autobinding) occurs when frameworks automatically bind HTTP parameters to object properties without filtering. Attackers inject unauthorized properties (isAdmin: true) to escalate privileges or modify protected fields. This vulnerability enables complete access control bypass through parameter injection.

The Anti-Pattern

Never use user-provided data dictionaries to update models without filtering for allowed properties. Use explicit allowlists.

BAD Code Example

# VULNERABLE: Incoming request data used directly to update user model
from flask import request
from db import User, session
Installs
9
Repository
igbuend/grimbard
GitHub Stars
5
First Seen
Jan 20, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
mass-assignment-anti-pattern — igbuend/grimbard