Skip to main content
rulesSource-backedReview first Safety Privacy

AI-Generated Mass Assignment Review Rules

Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default.

by lourincedaging0-commits·added 2026-07-15·
HarnessClaude Code
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html, https://github.com/JSONbored/awesome-claude/blob/main/content/rules/ai-generated-mass-assignment-review-rules.mdx
Safety notes
Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields., AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones., This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.
Privacy notes
Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system., Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.
Author
lourincedaging0-commits
Submitted by
lourincedaging0-commits
Claim status
unclaimed
Last verified
2026-07-15

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

10 minutes

Install command

Not provided

Config snippet

Not provided

Copy snippet

Provided

Prerequisites

4 to clear

Platforms

1 listed

Install type

Copy & paste

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

4 prerequisites to line up before setup.

0/4 ready
Permissions & scopes3General110 minutes

Safety & privacy surface

Safety & privacy surface

3 safety and 2 privacy notes across 2 risk areas. Review closely: permissions & scopes, network access.

2 areas
  • SafetyNetwork accessMass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields.
  • SafetyNetwork accessAI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones.
  • SafetyNetwork accessThis is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.
  • PrivacyPermissions & scopesMass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system.
  • PrivacyNetwork accessDo not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.

Safety notes

  • Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields.
  • AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones.
  • This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.

Privacy notes

  • Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system.
  • Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.

Prerequisites

  • A pull request, diff, or snippet containing AI-generated or AI-edited code that binds request data to a model, entity, or ORM object.
  • Knowledge of which fields on the affected model/entity are sensitive (admin/role flags, ownership references, financial fields, verification/status flags).
  • Familiarity with the specific framework's autobinding and allowlist/block-list mechanism in use, since the safe pattern differs meaningfully between Spring MVC, Rails, Mongoose/Node, Django, and hand-rolled binding code.
  • Permission to block merge when a request-to-model binding path can set a sensitive field with no allowlist, block-list, or DTO in place.

Schema details

Install type
copy
Troubleshooting
Yes
Collection metadata
Estimated setup
10 minutes
Difficulty
intermediate
Full copyable content
You are reviewing AI-generated code for mass assignment (autobinding)
risk.

Rules:
1. Identify every place the change binds request data (JSON body, form
   fields, query parameters) directly onto a model, entity, or ORM object
   — whether via a framework's autobinding (Spring MVC model binding,
   ASP.NET MVC model binding, Rails `update_attributes`/`assign_attributes`,
   a Mongoose schema constructor, PHP object hydration) or a hand-written
   loop that copies request keys onto an object.
2. Require an explicit allowlist of the fields a given endpoint may set —
   never bind "whatever the request body contains" onto a full model
   object by default.
3. Flag any model/entity with a sensitive field (an admin/role flag, an
   ownership/user-ID reference, a price/balance, an internal status or
   verification flag) that is reachable through a binding path without
   an explicit allowlist or block-list excluding that field.
4. Prefer a dedicated Data Transfer Object (DTO) / input schema per
   endpoint that only declares the fields a user is allowed to set, over
   binding directly to the full persistence model — a field that doesn't
   exist on the DTO can't be mass-assigned even if the request includes
   it.
5. Do not treat a framework's default autobinding behavior as safe by
   default; confirm the framework's allowlist/block-list mechanism
   (`@InitBinder` allowed/disallowed fields in Spring, strong parameters
   in Rails, a schema pick/omit list in Mongoose, a serializer/DTO in
   other stacks) is actually configured for each bindable model.
6. Apply the same scrutiny to "update" endpoints as "create" endpoints —
   an update path that re-binds the full request onto an existing loaded
   entity can overwrite fields the create-path DTO already protected.

About this resource

Purpose

Use these rules when an AI coding assistant writes or edits code that binds request data onto a model, entity, or ORM object. The goal is to stop a generated create/update endpoint from letting a client set fields it was never meant to control — an admin flag, an ownership reference, a price — just by adding an extra request parameter, because the binding code accepted the whole request body by default.

This is a review policy, not a mass-assignment tutorial. It tells reviewers what must be true about a generated change's request-to-model binding before the change is safe to merge.

Review Inputs

Collect enough context to know what gets bound and what's sensitive on it.

  • Every place the change binds request data (JSON body, form fields, query parameters) onto a model, entity, or ORM object, whether through framework autobinding or hand-written field-copying code.
  • Which fields on the target model/entity are sensitive: privilege/role flags, ownership or user-ID references, financial fields, verification or approval status, anything that should only ever be set by trusted server-side logic.
  • Whether the framework in use autobinds by default (Spring MVC, ASP.NET MVC, Rails, many ORMs) and what its allowlist/block-list mechanism is.
  • Whether create and update paths for the same model use the same binding code or different, independently-reviewed paths.

Binding Rules

  • Require an explicit allowlist of bindable fields per endpoint — never accept "whatever fields the request includes" onto a full model object.
  • Flag any sensitive field (privilege/role, ownership, financial, status) that's reachable through a binding path without an explicit allowlist or block-list excluding it.
  • Prefer a dedicated DTO / input schema per endpoint over binding directly to the persistence model: a field the DTO doesn't declare can't be mass-assigned even if present in the request.
  • Do not assume a framework's default autobinding is safe; confirm its specific allowlist/block-list mechanism (Spring's @InitBinder setAllowedFields/setDisallowedFields, Rails strong parameters, a Mongoose schema pick/omit list, a serializer/DTO elsewhere) is actually configured for every bindable model in the diff.
  • Give update endpoints the same scrutiny as create endpoints — rebinding a full request body onto an already-loaded entity on update can overwrite fields the create path's DTO protected.

Exploitability Rules

  • Treat a sensitive field as exploitable mass-assignment risk when: an attacker can guess or discover the field name (from public source, docs, or a client bundle), and the binding path has no allowlist/block-list excluding it — both conditions are commonly true for AI-generated code that mirrors the model's real field names in API docs or client code.
  • Remember this vulnerability goes by different names per stack — mass assignment (Rails, Node), autobinding (Spring MVC, ASP.NET MVC), object injection (PHP) — review binding code in every language present in the diff, not just the one the reviewer is most familiar with.
  • Confirm the fix uses an allowlist (only named safe fields bindable) rather than a block-list alone where practical — a block-list must be kept in sync with every new sensitive field added later, while an allowlist fails closed by default.

Merge Blockers

Block merge when any of these is true.

  • A create or update endpoint binds request data onto a model/entity with no allowlist, block-list, or DTO restricting which fields can be set.
  • A sensitive field (privilege/role, ownership, financial, verification status) is reachable through a binding path with no explicit protection.
  • An update endpoint uses different, less-restrictive binding than the create endpoint for the same model.
  • A framework's autobinding is relied on with its default configuration, with no allowlist/block-list mechanism actually applied.

Review Checklist

  • {"task": "Binding paths identified", "description": "Every request-to-model binding path in the change is identified, including framework autobinding"}
  • {"task": "Allowlist or DTO present", "description": "Each binding path restricts to an explicit allowlist of fields or uses a DTO that excludes sensitive ones"}
  • {"task": "Sensitive fields protected", "description": "Privilege/role, ownership, financial, and status fields are not reachable through any unprotected binding path"}
  • {"task": "Create and update both covered", "description": "Update endpoints get the same binding scrutiny as create endpoints for the same model"}
  • {"task": "Framework default not assumed safe", "description": "The framework's specific allowlist/block-list mechanism is confirmed configured, not just assumed"}

AI Review Rules

AI assistants can write and review request-binding code, but they should show their evidence.

  • Ask the assistant to list every request-to-model binding path in the change, including any framework autobinding it relies on implicitly.
  • Require the assistant to state, for each bindable model, which fields are sensitive and how the binding path excludes them.
  • Have the assistant confirm update endpoints don't silently gain broader binding than their corresponding create endpoint.
  • Do not let the assistant claim a binding path is safe because the happy- path test only sent the intended fields.
  • Re-run review after any change to a model's fields, a binding configuration, or a shared DTO/serializer.

Troubleshooting

  • A legitimate admin-only field needs to be settable by some requests: give the admin-facing endpoint its own DTO/allowlist that includes it, separate from the general user-facing endpoint's DTO.
  • Switching to a DTO breaks a field the client actually needs to set: add that specific field to the DTO deliberately, rather than reverting to full-model binding.
  • Tests only cover intended fields: add a test that includes an extra, unintended field (e.g. a role/admin flag) in the request and asserts it was not applied to the resulting object.
  • An update endpoint needs different bindable fields than create: give it its own explicit allowlist/DTO rather than reusing the create path's binding code unchanged.

Duplicate And History Check

Before adding a new binding path, confirm the codebase does not already have a shared DTO, serializer, or allowlist configuration for this model. A generated change that binds directly to the model next to an existing protected DTO for the same entity should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, unprotected binding path.

Reference

Pattern Risk Fix
submit(User user) binding the full request body Any model field, including isAdmin, is settable Bind to a DTO that omits sensitive fields
Rails update_attributes(params[:user]) All permitted-by-default attributes are settable Strong parameters: explicit .permit(:userid, :email)
Mongoose new User(req.body) Every schema field, including isAdmin, is settable _.pick(req.body, User.userCreateSafeFields) or a protect flag
Update endpoint reuses create's unrestricted binding Same exposure persists after "fixing" create only Give update its own explicit allowlist/DTO
Sensitive field name discoverable via public docs/client Attacker can guess the exact unintended parameter Allowlist (fail-closed) rather than relying on obscurity

Sources

  • OWASP Mass Assignment Cheat Sheet
  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
  • OWASP API Security Top 10 2023 — API3: Broken Object Property Level Authorization
  • GitHub Blog: Public Key Security Vulnerability and Mitigation (2012 mass assignment incident)

Source citations

Add this badge to your README

Show that AI-Generated Mass Assignment Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/rules/ai-generated-mass-assignment-review-rules.svg)](https://heyclau.de/entry/rules/ai-generated-mass-assignment-review-rules)

How it compares

AI-Generated Mass Assignment Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default.

Open dossier

Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations.

Open dossier

Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target.

Open dossier

Source-backed rules for reviewing AI-generated JavaScript/TypeScript code before merge for prototype pollution risk, covering unsafe recursive merge/clone/assign helpers on untrusted input, proto and constructor-prototype key handling, and safer alternatives like Map, Set, and Object.create(null).

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceSource-backedSource-backedSource-backedSource-backed
Submitterlourincedaging0-commitslourincedaging0-commitslourincedaging0-commitslourincedaging0-commits
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
Brand
Categoryrulesrulesrulesrules
Sourcesource-backedsource-backedsource-backedsource-backed
Authorlourincedaging0-commitslourincedaging0-commitslourincedaging0-commitslourincedaging0-commits
Added2026-07-152026-07-152026-07-152026-07-15
Platforms
Claude Code
Claude Code
Claude Code
Claude Code
Source repo
Safety notesMass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields. AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones. This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter.A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check.An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page. AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct. A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site.Prototype pollution lets an attacker add or overwrite properties on Object.prototype (or another shared built-in prototype), which can silently change behavior across the entire application — from denial-of-service and logic bypasses to, in some frameworks/environments, remote code execution. AI assistants often write a straightforward recursive merge/deep-clone/deep-set helper (a natural, short implementation for combining config objects or request bodies) without excluding __proto__/constructor/prototype keys, because the happy-path test data never includes those key names. This is a real, repeatedly-exploited class in widely-used JavaScript libraries, not a theoretical concern — for example CVE-2019-10744 in lodash's defaultsDeep allowed Object.prototype pollution via a crafted {constructor: {prototype: {...}}} input.
Privacy notesMass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system. Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead.IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied.Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead. Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review.Prototype pollution proof-of-concept payloads can trigger unexpected application-wide behavior in a shared environment; test in an isolated sandbox, not a shared staging or production system. Do not commit a working exploit payload targeting a specific internal endpoint into a public PR or issue; describe the vulnerable merge pattern and the class of key involved instead.
Prerequisites
  • A pull request, diff, or snippet containing AI-generated or AI-edited code that binds request data to a model, entity, or ORM object.
  • Knowledge of which fields on the affected model/entity are sensitive (admin/role flags, ownership references, financial fields, verification/status flags).
  • Familiarity with the specific framework's autobinding and allowlist/block-list mechanism in use, since the safe pattern differs meaningfully between Spring MVC, Rails, Mongoose/Node, Django, and hand-rolled binding code.
  • Permission to block merge when a request-to-model binding path can set a sensitive field with no allowlist, block-list, or DTO in place.
  • A pull request, diff, or snippet containing an AI-generated or AI-edited endpoint, resolver, or data-access function that accepts an object identifier from the request.
  • Knowledge of the application's ownership/permission model, since what counts as "authorized" differs between single-owner resources, shared resources, and admin-only resources.
  • Access to at least two distinct user accounts (or awareness of how to create them) to verify cross-account access is actually denied, not just assumed.
  • Permission to block merge when an object-level authorization check is missing, inconsistent, or client-trusted.
  • A pull request, diff, or snippet containing AI-generated or AI-edited redirect, forward, or "return to" logic.
  • Knowledge of which query parameters, form fields, or stored values in the application currently feed a redirect destination.
  • Awareness of the app's trusted domain(s) so an allowlist check (if one is added) can be scoped correctly.
  • Permission to block merge when a redirect destination is taken from user input without being restricted to a relative path or a validated allowlist.
  • A pull request, diff, or snippet containing AI-generated or AI-edited JavaScript/TypeScript code that recursively merges, clones, or assigns object properties.
  • Knowledge of which objects in the change are built from or merged with untrusted input (request bodies, query strings, parsed config/JSON/YAML).
  • Awareness that this class of bug affects the entire process, not just the object being merged — Object.prototype pollution can enable denial-of-service, property injection into unrelated objects, or in some environments remote code execution.
  • Permission to block merge when a recursive merge/clone/assign helper on untrusted input doesn't explicitly guard __proto__/constructor/prototype keys.
Install
Config
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.