Install command
Not provided
Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
1 listed
Install type
Copy & paste
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup.
Safety & privacy surface
3 safety and 2 privacy notes across 2 risk areas. Review closely: permissions & scopes, network access.
You are reviewing AI-generated code for mass assignment (autobinding)
risk.
Rules:
1. Identify every place the change binds request data (JSON body, form
fields, query parameters) directly onto a model, entity, or ORM object
— whether via a framework's autobinding (Spring MVC model binding,
ASP.NET MVC model binding, Rails `update_attributes`/`assign_attributes`,
a Mongoose schema constructor, PHP object hydration) or a hand-written
loop that copies request keys onto an object.
2. Require an explicit allowlist of the fields a given endpoint may set —
never bind "whatever the request body contains" onto a full model
object by default.
3. Flag any model/entity with a sensitive field (an admin/role flag, an
ownership/user-ID reference, a price/balance, an internal status or
verification flag) that is reachable through a binding path without
an explicit allowlist or block-list excluding that field.
4. Prefer a dedicated Data Transfer Object (DTO) / input schema per
endpoint that only declares the fields a user is allowed to set, over
binding directly to the full persistence model — a field that doesn't
exist on the DTO can't be mass-assigned even if the request includes
it.
5. Do not treat a framework's default autobinding behavior as safe by
default; confirm the framework's allowlist/block-list mechanism
(`@InitBinder` allowed/disallowed fields in Spring, strong parameters
in Rails, a schema pick/omit list in Mongoose, a serializer/DTO in
other stacks) is actually configured for each bindable model.
6. Apply the same scrutiny to "update" endpoints as "create" endpoints —
an update path that re-binds the full request onto an existing loaded
entity can overwrite fields the create-path DTO already protected.Use these rules when an AI coding assistant writes or edits code that binds request data onto a model, entity, or ORM object. The goal is to stop a generated create/update endpoint from letting a client set fields it was never meant to control — an admin flag, an ownership reference, a price — just by adding an extra request parameter, because the binding code accepted the whole request body by default.
This is a review policy, not a mass-assignment tutorial. It tells reviewers what must be true about a generated change's request-to-model binding before the change is safe to merge.
Collect enough context to know what gets bound and what's sensitive on it.
@InitBinder
setAllowedFields/setDisallowedFields, Rails strong parameters, a
Mongoose schema pick/omit list, a serializer/DTO elsewhere) is actually
configured for every bindable model in the diff.Block merge when any of these is true.
AI assistants can write and review request-binding code, but they should show their evidence.
Before adding a new binding path, confirm the codebase does not already have a shared DTO, serializer, or allowlist configuration for this model. A generated change that binds directly to the model next to an existing protected DTO for the same entity should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, unprotected binding path.
| Pattern | Risk | Fix |
|---|---|---|
submit(User user) binding the full request body |
Any model field, including isAdmin, is settable |
Bind to a DTO that omits sensitive fields |
Rails update_attributes(params[:user]) |
All permitted-by-default attributes are settable | Strong parameters: explicit .permit(:userid, :email) |
Mongoose new User(req.body) |
Every schema field, including isAdmin, is settable |
_.pick(req.body, User.userCreateSafeFields) or a protect flag |
| Update endpoint reuses create's unrestricted binding | Same exposure persists after "fixing" create only | Give update its own explicit allowlist/DTO |
| Sensitive field name discoverable via public docs/client | Attacker can guess the exact unintended parameter | Allowlist (fail-closed) rather than relying on obscurity |
Show that AI-Generated Mass Assignment Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-mass-assignment-review-rules)AI-Generated Mass Assignment Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default. Open dossier | Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations. Open dossier | Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target. Open dossier | Source-backed rules for reviewing AI-generated JavaScript/TypeScript code before merge for prototype pollution risk, covering unsafe recursive merge/clone/assign helpers on untrusted input, proto and constructor-prototype key handling, and safer alternatives like Map, Set, and Object.create(null). Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| Submitter | lourincedaging0-commits | lourincedaging0-commits | lourincedaging0-commits | lourincedaging0-commits |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | lourincedaging0-commits | lourincedaging0-commits | lourincedaging0-commits | lourincedaging0-commits |
| Added | 2026-07-15 | 2026-07-15 | 2026-07-15 | 2026-07-15 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields. AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones. This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter. | ✓A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check. | ✓An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page. AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct. A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site. | ✓Prototype pollution lets an attacker add or overwrite properties on Object.prototype (or another shared built-in prototype), which can silently change behavior across the entire application — from denial-of-service and logic bypasses to, in some frameworks/environments, remote code execution. AI assistants often write a straightforward recursive merge/deep-clone/deep-set helper (a natural, short implementation for combining config objects or request bodies) without excluding __proto__/constructor/prototype keys, because the happy-path test data never includes those key names. This is a real, repeatedly-exploited class in widely-used JavaScript libraries, not a theoretical concern — for example CVE-2019-10744 in lodash's defaultsDeep allowed Object.prototype pollution via a crafted {constructor: {prototype: {...}}} input. |
| Privacy notes | ✓Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system. Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead. | ✓IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied. | ✓Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead. Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review. | ✓Prototype pollution proof-of-concept payloads can trigger unexpected application-wide behavior in a shared environment; test in an isolated sandbox, not a shared staging or production system. Do not commit a working exploit payload targeting a specific internal endpoint into a public PR or issue; describe the vulnerable merge pattern and the class of key involved instead. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Review AI-generated pull requests with repeatable security, test, and evidence checks.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.