← all rules

code/mass-assignment-py

Mass assignment: request data splatted into ORM write

highBusiness logicaccess-controlCWE-915python

What it detects

`Model.objects.create(**request.data)` (or `**request.POST` / `**request.json`) lets the client set any model field. Bind explicit fields, or use a serializer with a fixed `fields` allowlist (never `fields = '__all__'` on a model with privileged columns).

How it runs

Applied line-by-line on JS/TS and Python files (comments skipped). Flags input flowing into a trust decision — an ORM write, a privilege attribute, a charge amount, or a primary-key lookup — where an authorization/ownership check should exist. Conservative by design: confirm whether the check is present nearby.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.