HIGH mass assignmenthmac signatures
Mass Assignment with Hmac Signatures
Hmac Signatures-Specific Remediation
The fix requires two complementary steps:
- Limit the data that is accepted – use an explicit allow‑list (or a schema) so only expected properties are copied into the domain object.
- Cover all processed fields in the HMAC – compute the signature over every field that the application will later trust, or alternatively, compute the HMAC over the entire serialized request body after validation.
Below is a corrected version of the Node.js example. It uses a simple whitelist and then computes the HMAC over the canonical JSON string of the whitelisted data.
const crypto = require('crypto');
const SECRET = process.env.HMAC_SECRET;
function constantTimeCompare(a, b) {
if (a.length !== b.length) return false;
let diff = 0;
for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
return diff === 0;
}
function verifySignature(body, sig) {
// Define the exact set of fields that are allowed and signed
const allowed = ['userId', 'amount', 'timestamp'];
const payloadObj = {};
for (const key of allowed) {
if (typeof body[key] === 'undefined') return false; // missing required field
payloadObj[key] = body[key];
}
// Canonical JSON: no whitespace, property order sorted
const payload = JSON.stringify(payloadObj);
const expected = crypto.createHmac('sha256', SECRET).update(payload).digest('hex');
return constantTimeCompare(expected, sig);
}
app.post('/transfer', (req, res) => {
const { signature } = req.body;
if (!verifySignature(req.body, signature)) {
return res.status(401).send('Invalid signature');
}
// SAFE: only assign whitelisted fields
const transfer = {};
const allowed = ['userId', 'amount', 'timestamp'];
for (const key of allowed) {
transfer[key] = req.body[key];
}
// transfer.role, transfer.admin, etc. are undefined
processTransfer(transfer);
});
In languages with built‑in validation frameworks, the same principle applies:
- Java (Spring) – Use
@Validatedwith a DTO that declares only the permitted fields; disablesetter‑based binding or use@InitBinderto reject unknown properties. - Python (FastAPI/Pydantic) – Define a
BaseModelwith an explicitmodel_config = {'extra': 'forbid'}to reject any undeclared attributes. - Go – Decode JSON into a struct with only the expected fields; the decoder will ignore unknown keys, and you can then compute the HMAC over the struct’s serialized form.
After applying these changes, rescan the endpoint with middleBrick. The Property Authorization check should now report that all unexpected properties are rejected, and the risk score will improve (e.g., from F to A or B).
Related CWEs: propertyAuthorization
| CWE ID | Name | Severity |
|---|---|---|
| CWE-915 | Mass Assignment | HIGH |
Frequently Asked Questions
Does middleBrick modify my API to fix mass assignment issues?
No. middleBrick only detects and reports security issues. It provides detailed findings and remediation guidance, but it does not apply patches, block traffic, or change your code.
Can I use the middleBrick CLI to scan HMAC‑protected endpoints in my CI pipeline?
Yes. The CLI (
middlebrick scan ) returns JSON or text output that you can ingest in CI scripts. The GitHub Action integrates the same check directly into workflows, allowing you to fail builds when the security score drops below a threshold you define.