Fix Mass Assignment in AdonisJS | GuardAPI Security Guide

Mass Assignment in AdonisJS occurs when an application blindly accepts all input from a request and passes it directly to a Lucid model's create or update methods. This allows attackers to inject unauthorized fields—such as 'is_admin', 'role', or 'balance'—into the database, leading to privilege escalation or data corruption.

The Vulnerable Pattern

async store({ request, response }) {
  // HIGH RISK: request.all() returns every key-value pair in the payload
  // An attacker can send { "username": "hacker", "is_admin": true }
  const userData = request.all()
  const user = await User.create(userData)
return response.created(user)
}

The Secure Implementation

To kill Mass Assignment, never use request.all() or request.post() when persisting data. Use request.only(['field1', 'field2']) to create a strict whitelist. For production-grade security, leverage AdonisJS Validators; they act as a strong schema-based filter that strips any keys not explicitly defined in the validation rules, ensuring that even if an attacker sends extra fields, they never reach the Lucid ORM layer.

import CreateUserValidator from 'App/Validators/CreateUserValidator'
async store({ request, response }) {
// OPTION 1: Use request.only() to whitelist specific fields
const safeData = request.only([‘username’, ‘email’, ‘password’])
const user1 = await User.create(safeData)
// OPTION 2: Use AdonisJS Validators (Recommended for AppSec)
// The validator ensures only defined schema properties are returned
const payload = await request.validate(CreateUserValidator)
const user2 = await User.create(payload)
return response.created(user2)
}

Protect your AdonisJS API

Don't rely on manual checks. GuardAPI's Gemini 3 Pro engine detects Mass Assignment and logic flaws in seconds.

Run Automated Audit

The Vulnerable Pattern

The Secure Implementation

Protect your AdonisJS API

Verified by Ghost Labs Security Team