| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
This code may allow properties to be added or modified on the Object prototype, which can unintentionally affect all objects in the application. Such changes can occur when assigning to object properties using untrusted or dynamic keys in loops.
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
The code builds SQL queries by directly concatenating variables into the query string when using node-postgres. If any of these variables contain user input and are not properly sanitized, this can allow attackers to inject malicious SQL commands.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Setting the $guarded property to an empty array in a Laravel model disables all mass assignment protection, allowing any attribute to be set via user input. This overrides Laravel’s default safeguards against unintended data modification.
An attacker could exploit this to modify sensitive or restricted fields in your database by sending unexpected parameters, potentially leading to privilege escalation, data corruption, or unauthorized changes to user or application data.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
The code assigns all fields from user input directly to a model using constructs like ‘**request.data’, which can unintentionally update sensitive or restricted fields. This allows attackers to modify fields that should not be user-editable by sending extra data in their requests.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Medium |
User input is being directly included when building SQL query strings, which makes the code vulnerable to SQL injection. Instead, always use parameterized queries or Django’s ORM to safely handle user data in database operations.
If exploited, an attacker could run arbitrary SQL commands against your database—potentially reading, modifying, or deleting sensitive data. This can lead to data breaches, data loss, or unauthorized access to application functionality.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
The code allows user input (params) to be assigned directly to model attributes without proper protection, or uses :without_protection => true, which bypasses attribute whitelisting. This means users can set sensitive or restricted fields they shouldn’t have access to.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Allowing sensitive attributes like :admin, :role, :banned, or :account_id to be mass assigned via permit or attr_accessible exposes your app to attackers who can modify these fields through crafted requests. Using params.permit! is especially risky as it permits all input fields without restriction.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Using create_with without restricting which parameters are allowed bypasses strong parameter protection in Ruby on Rails. This means attackers could set any attribute on your models, including sensitive fields you did not intend to expose.
If exploited, an attacker could manipulate or overwrite critical data by setting unexpected model attributes, potentially leading to privilege escalation, unauthorized data changes, or system compromise. This undermines application integrity and could expose sensitive information or disrupt operations.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
The model does not restrict which attributes can be updated via mass assignment. Without ‘attr_accessible’ or strong parameters, attackers can set any model attribute by submitting extra parameters in requests.
An attacker could manipulate sensitive fields (like admin status or password) that should not be user-editable, potentially leading to privilege escalation, unauthorized data changes, or full application compromise.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Mass assignment protection is disabled for the model, allowing users to set any model attributes—including sensitive ones—via input parameters. This makes it easy for attackers to modify fields that should be restricted.
If exploited, an attacker could update protected fields such as user roles, permissions, or other critical data by submitting crafted parameters. This could lead to unauthorized access, privilege escalation, or data tampering within your application.