← all rules

code/mass-assignment-orm-js

Mass assignment: ORM write fed the whole request body

highBusiness logicaccess-controlCWE-915js

What it detects

An ORM create/update is passed `req.body` (or `request.body`) directly, so a client can set any column — including ones it should never control (role, isAdmin, balance, ownerId). Whitelist the assignable fields explicitly (e.g. pick/`fields`/a DTO) instead of spreading the raw body.

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.