# Mass Assignment Analyzer

Category Severity Time To Fix
🛡️ Security ⚠️ Critical 10 minutes

Class: Enlightn\Enlightn\Analyzers\Security\MassAssignmentAnalyzer

# Introduction

This analyzer scans your application code for potential mass assignment vulnerabilities. Mass assignment is a vulnerability where an ORM pattern in a web application is abused to modify data items that the user should not be allowed to access.

# Examples of Mass Assignment

Here are a couple of examples of mass assignment vulnerabilities that the analyzer detects:

use App\Models\User;


In the example above, all the request input parameters are "force-filled" to the User model. This can expose your application to mass assignment. For instance, perhaps there is a isAdmin column in the users table, which can be overwritten by the request data.

Some other examples of mass assignment are as below:

User::upsert($request->all(), []);
User::where('user_id', 1)->update($request->all());

# How To Fix

Instead of using the all method, you can use the only or validated (for form requests) methods to fix the above mass assignment vulnerabilities:

$user->forceFill($request->only(['email', 'address', 'country', 'phone']))->save();

# References