The mongoose API is a popular API for interacting with the MongoDB, commonly used within Node.js applications.
Insecure Mass-Assignment or Object Mapping is nothing new, the following are a couple of good references on the subject:
If you are not familiar with the concept of Mass-Assignment, it is a feature typically found in MVC style frameworks. User parameters and values can be directly translated to database attributes and values. This makes instantiating a new model object less tedious.
As you can see when a new user registers with some basic information, the entire body of the request is dumped into a new user object and becomes a database document. The problem comes into play when you conceptualize database document attributes the user should NOT have access to. What if there is an admin attribute? In the request shown (above), if the user added a parameter ‘admin=true’ to the body of the POST request…. they would now have administrative rights to the application. Obviously, we would want to fix this critical security problem.
There are a couple methods we have seen to accomplish creating a secure mass-assignment scenario but the simplest solution is to create an array and only allow the user to submit parameters that match elements in that array. Essentially, create a whitelist.
The following code demonstrates this concept in action using the pick method provided by the underscore library :
Hopefully this helps you protect your applications a little better against Insecure Mass-Assignment.