Object Property Injection

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-502

Mass AssignmentObject Injection

Scenario

Your registration endpoint deserialises a JSON body and spreads all parsed fields directly into a user profile object.

An attacker adds extra fields like `isAdmin: true` or `role: 'admin'` to the JSON body. Because no allowlist is applied, these fields land directly in the stored profile, granting escalated privileges.

Mass assignment vulnerabilities have led to account takeovers and privilege escalation at major platforms. Always allowlist the fields you accept — never blocklist the ones you want to reject.

Your Tasks

After parsing the JSON string, extract only the whitelisted fields: `name`, `email`, and `bio`.
Return an object with exactly those three fields; any field missing from the input defaults to an empty string.
Do not throw — silently ignore unexpected fields.

Examples

Example 1 — Exploit — isAdmin injected but stripped

buildUserProfile('{"name":"alice","isAdmin":true}')
// returns: {name:'alice', email:'', bio:''} — isAdmin absent

Example 2 — Safe — all whitelisted fields

buildUserProfile('{"name":"alice","email":"a@b.com","bio":"dev"}')
// returns: {name:'alice', email:'a@b.com', bio:'dev'}

Constraints

›Only `name`, `email`, and `bio` must appear in the returned object.
›Missing fields default to `""` (empty string), not `null` or `undefined`.
›The function must never throw for any valid JSON input.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/502.html https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run