AI-coding hygiene

no-unsafe-mass-assignment

Flag `Object.assign(user, req.body)` and `{ ...model, ...req.body }` shapes.

Splatting an unfiltered request body into a database model lets a client send fields the server never intended to expose (`isAdmin`, `tenantId`, …). OWASP A04. Covers `Object.assign`, object spread, and the ORM-shortcut `User.create(req.body)` / `user.update(req.body)` forms.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

Object.assign(user, req.body); await user.save();

Good:

const parsed = userSchema.parse(req.body); Object.assign(user, parsed); await user.save();

Related rules

• no-floating-promise-handlerRequire try/catch (or an async wrapper) on async Express/Fastify route handlers.
• no-sql-injectionFlag SQL queries built by `+` concatenation or template-literal interpolation.
• safe-redirectFlag redirects derived from request input (open redirect / phishing path).

Use it

Enable no-unsafe-mass-assignment in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-unsafe-mass-assignment': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules