rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

# RSTR-ORM-002 — Django ORM `create`/`filter`/`update` with `**request.POST`

## Summary

A Django view passes a request body directly into a model `create` /
`update` / `filter`, e.g. `Model.objects.create(**request.POST)`. Every
key in the request body becomes a field write, regardless of whether
the form was meant to expose it. An attacker can promote themselves to
admin by submitting `is_staff=true` (or whatever the model's flag
field is called).

This is **mass assignment**, CWE-915.

## Severity

`High`.

## Languages

Python (Django).

## What rastray flags

```python
def signup(request):
    User.objects.create(**request.POST)              # ← flagged
```

```python
def update(request, pk):
    Article.objects.filter(pk=pk).update(**request.POST)  # ← flagged
```

## What rastray deliberately does *not* flag

- Form-bound paths: `form = SignupForm(request.POST); form.save()`.
- ModelForm or DRF Serializer-driven updates.
- Explicit field lists: `User.objects.create(email=request.POST['email'])`.

## How to fix it

Always go through a `ModelForm`, a Django REST Framework `Serializer`,
or an explicit allow-list:

```python
from django.forms import ModelForm

class SignupForm(ModelForm):
    class Meta:
        model = User
        fields = ['email', 'password']     # allow-list

def signup(request):
    form = SignupForm(request.POST)
    if not form.is_valid():
        return HttpResponseBadRequest(form.errors)
    form.save()
```

```python
# REST framework
class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['email', 'password']
        read_only_fields = ['is_staff', 'is_superuser']
```

## References

- [Django docs — `ModelForm`](https://docs.djangoproject.com/en/stable/topics/forms/modelforms/)
- [DRF Serializers — `read_only_fields`](https://www.django-rest-framework.org/api-guide/serializers/#specifying-read-only-fields)
- [OWASP API Security Top 10 — API3: Broken Object Property Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/)
- [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes](https://cwe.mitre.org/data/definitions/915.html)