3 years ago

Category: Laravel, api

Eloquent like many other ORMs have a nice feature that allows assigning properties to an object without having to assign each value individually, this is a nice feature that saves a lot of time and lines of code but can lead to a vulnerability if used incorrectly. For example here is a simplified example of an insecure code that we found during a security code review for one of our clients

The reason that it was added there is that there was another API that would allow changing role too, this is a common pattern that we see in Laravel applications that we review or pen-test, while $fillable is great if you have a simple application, it gets hard to manage when application growths and there are multiple APIs(or Roles) that are updating/creating a same type of model with different ACL roles.

Pass to model only fields that have been validatedThis is probably the most effective method of dealing with mass assignment attacks, instead of passing the full data from the request, you can pass only fields that have been validated.

To do so, Laravel provides you with a $request->validated() method, that returns you only fields that have been validated.