const express = require("express");
const mongoose = require("mongoose");
const app = express();
app.use(express.json());
const User = mongoose.model("User", {
username: String,
email: String,
role: {
type: String,
default: "user"
},
isVerified: {
type: Boolean,
default: false
},
credits: {
type: Number,
default: 0
}
});
app.post("/register", async (req, res) => {
const user = new User(req.body);
await user.save();
res.json(user);
});
app.patch("/profile", async (req, res) => {
const user = await User.findById(req.headers.userid);
Object.assign(user, req.body);
await user.save();
res.json(user);
});
app.listen(3000);Reveal Solution
1. Mass Assignment in /register
The application directly passes all user-supplied fields from req.body into the User model. An attacker can provide sensitive attributes such as role, isVerified, or credits during account creation.
2. Mass Assignment in /profile
The application uses Object.assign(user, req.body) to copy every user-controlled field onto the account object. This allows modification of sensitive attributes that should only be managed by the server.