Closed Mupati closed 3 years ago
This is intended behavior.
A mass assignment vulnerability occurs when a user passes an unexpected HTTP request field and that field changes a column in your database that you did not expect. For example, a malicious user might send an is_admin
parameter through an HTTP request, which is then passed to your model's create method, allowing the user to escalate themselves to an administrator.
Yeah. I understand that is the intended behaviour and envisaged how implausible my proposal might be. I was only hoping there could be a better way to address my concern.
Most often when I add some new fields to an existing table, I forget to add it to the fillable array and spend a significant amount of time trying to understand why a column is not being updated.
Laravel should not show error to attacker, who is repeatly trying to send field which is not fillable, because it will reveal, than given field exists. But you can write your own code which will check it and notify you, but only during development. Or you can use $guarded property instead.
That's already the case. You cannot update an attribute that's not fillable.
Most times when I create a new migration to add some fields to an existing table, I forget to add the new fields to the
$fillable
array if I wanted the new field(s) to be mass assignable.I understand that a field that is not present in the
$fillable
array is not permitted to be updated by default but the issue I described also exists.I recommend an error message that will serve as a hint. Eg. "Make sure the field(s) being updated are mass assignable". This error message might not give specifics but helps as a general hint.
I don't recommend adding the field that is absent from the
$fillable
array in the response since it can give a potential hint to an attacker about the fields available in your table.