Mass Assignment in Gin with Dynamodb

Mass Assignment in a Gin-based service that uses Amazon DynamoDB as a persistence layer occurs when user-supplied JSON is bound directly to Go structs and then written to DynamoDB without explicit field filtering. In Gin, developers commonly use c.ShouldBindJSON(&input) to map incoming JSON to a struct. If the struct contains sensitive or mutable fields such as Role, IsAdmin, or Permissions, and those fields are not explicitly omitted or controlled, an attacker can set them in the request to escalate privileges or alter application state.

When the struct is then marshaled and passed to DynamoDB operations (e.g., PutItem or UpdateItem), the unchecked fields are persisted, effectively trusting client input for authorization-critical attributes. This is a classic BOLA/IDOR and BFLA/Privilege Escalation vector: the API surface accepts user-controlled data and writes it directly to DynamoDB without server-side validation or schema-based authorization. Because DynamoDB is a NoSQL store, there is no schema enforcement at the database level; any attribute present in the request can be stored, which amplifies the impact of unchecked binding.

Additionally, because middleBrick tests this unauthenticated attack surface, an attacker can probe endpoints that accept user-controlled structs and inspect whether sensitive fields are reflected or cause unintended behavior in DynamoDB. Common patterns include omitting fields from responses (e.g., omitting PasswordHash) while still accepting them in writes, or binding an input struct to a DynamoDB record update and allowing mutation of fields like IsVerified or PlanTier. The risk is compounded when the same struct is used for both binding and DynamoDB attribute mapping, creating a direct path for attackers to modify authorization attributes.

To prevent Mass Assignment in Gin when working with DynamoDB, use a two-struct pattern: a separate request binding struct that only exposes safe, intended fields, and a domain/model struct that maps to DynamoDB attributes. Validate and transform the request struct into the model struct on the server side before performing any DynamoDB operation. This ensures that sensitive fields are never written from user input.

Example: Safe binding and DynamoDB write

// Request struct — only includes fields the client is allowed to set
type CreateUserRequest struct {
    Username string `json:"username" binding:"required,alphanum"`
    Email    string `json:"email" binding:"required,email"`
}

// Domain model — includes DynamoDB attributes and sensitive fields
type UserModel struct {
    Username           string `json:"username"`
    Email              string `json:"email"`
    PasswordHash       string `json:"-"` // excluded from JSON binding
    IsAdmin            bool   `json:"-"` // excluded from JSON binding
    CreatedAt          string `json:"created_at"`
    PartitionKey       string `json:"PK"` // DynamoDB attribute name
    SortKey            string `json:"SK"` // DynamoDB attribute name
}

// Handler
func CreateUser(c *gin.Context) {
    var req CreateUserRequest
    if err := c.ShouldBindJSON(&req); err != nil {
        c.JSON(400, gin.H{"error": err.Error()})
        return
    }

    // Transform to domain model — set server-controlled fields explicitly
    user := UserModel{
        Username:     req.Username,
        Email:        req.Email,
        PasswordHash: hashPassword(req.Password), // assume a helper
        IsAdmin:      false,                      // server-controlled default
        CreatedAt:    time.Now().UTC().Format(time.RFC3339),
        PartitionKey: "USER#" + req.Username,
        SortKey:      "METADATA",
    }

    // Write to DynamoDB
    av, err := dynamodbattribute.MarshalMap(user)
    if err != nil {
        c.JSON(500, gin.H{"error": "failed to marshal"})
        return
    }

    input := &dynamodb.PutItemInput{
        TableName: aws.String("Users"),
        Item:      av,
    }
    // Assuming DynamoDB client is configured elsewhere
    _, err = dbClient.PutItem(context.TODO(), input)
    if err != nil {
        c.JSON(500, gin.H{"error": "failed to save user"})
        return
    }

    c.JSON(201, gin.H{"id": user.PartitionKey})
}

UpdateItem with explicit attribute update

For updates, prefer UpdateItem with an explicit expression to avoid binding entire structs. This prevents attackers from injecting unexpected attributes.

// Safe partial update using expression
func UpdateUserEmail(c *gin.Context) {
    username := c.Param("username")
    var req struct {
        Email string `json:"email" binding:"required,email"`
    }
    if err := c.ShouldBindJSON(&req); err != nil {
        c.JSON(400, gin.H{"error": err.Error()})
        return
    }

    updateInput := &dynamodb.UpdateItemInput{
        TableName: aws.String("Users"),
        Key: map[string]types.AttributeValue{
            "PK": &types.AttributeValueMemberS{Value: "USER#" + username},
            "SK": &types.AttributeValueMemberS{Value: "METADATA"},
        },
        UpdateExpression: aws.String("set Email = :email"),
        ExpressionAttributeValues: map[string]types.AttributeValue{
            ":email": &types.AttributeValueMemberS{Value: req.Email},
        },
        ReturnValues: types.ReturnValueUpdatedNew,
    }

    _, err := dbClient.UpdateItem(context.TODO(), updateInput)
    if err != nil {
        c.JSON(500, gin.H{"error": "failed to update"})
        return
    }

    c.JSON(200, gin.H{"email": req.Email})
}

These patterns ensure that only explicitly allowed fields are bound in Gin, while DynamoDB writes are constrained to known, server-controlled attributes. This approach mitigates Mass Assignment and aligns with secure API design for NoSQL backends.