react-doctor/request-body-mass-assignment
Request input spread without field allowlist
- Category: Security
- Severity: warn
- Source:
oxlint-plugin-react-doctor - Framework: global
- Enabled when: always
- Tags: security-scan
- Default: Enabled
Validation prompt
Use this to decide whether a fired diagnostic is real or a false positive.
Confirm the reported code matches Request input spread without field allowlist. Check the framework context and diagnostic message before suppressing it.
Fix prompt
Use this once validation confirms the diagnostic is real.
Assign explicit, allowlisted fields (or validate with a strict schema and no .passthrough()) instead of spreading/merging request input. Otherwise the client can set ownership, role, or price columns (mass assignment) or pollute the prototype.
Related rules
More Security rules from the rules reference:
react-doctor/require-pnpm-hardening: pnpm project is missing supply-chain hardening in pnpm-workspace.yaml — set `minimumReleaseAge`, keep `blockExoticSubdeps: true`, and set `trustPolicy: no-downgrade`react-doctor/secret-in-fallback: Hardcoded secret fallback for env varreact-doctor/supabase-client-owned-authz-field: When the client writes authorization columns (`ownerId`, `orgId`, `role`, `isAdmin`) to Supabase, an attacker can forge them and escalate their own access.react-doctor/supabase-rls-policy-risk: A Supabase policy that disables row-level security, exposes the service role, or uses a `(true)` write predicate lets clients read or modify data that is not theirs.react-doctor/supabase-table-missing-rls: Supabase table created without Row Level Security