Mass Assignment in Adonisjs with Cockroachdb

Mass assignment in AdonisJS with CockroachDB arises from the framework’s model-based data binding combined with CockroachDB’s strict SQL typing and schema enforcement. When a controller binds request payload fields directly to a model instance without explicit allowlisting, fields that should be immutable or server-controlled—such as id, created_at, role, or tenant_id—can be set by an attacker. Because CockroachDB enforces schema and type constraints at the SQL layer, unchecked binding can still lead to constraint violations or, worse, logical bypasses when enumerated fields are inserted into non-null columns or columns with default values that affect row-level behavior.

AdonisJS uses Lucid models with mass assignment protection via fillable and hidden properties. If these are not precisely defined, an attacker can exploit open attributes to inject values that affect CockroachDB-side behaviors, such as placement constraints, survival goals, or secondary indexes. For example, binding a schedule_type field that influences CockroachDB’s lease preferences or a region field that determines data locality can subtly alter performance and availability characteristics, creating business logic flaws rather than just data corruption.

The risk is compounded when API input validation is limited to frontend checks or when ORM hydration silently ignores mismatched types, because CockroachDB’s wire protocol and SQL layer will still attempt to store the provided value. This can trigger errors returned to the client or, in permissive configurations, lead to rows being created with attacker-influenced metadata. Unlike some databases, CockroachDB’s distributed nature means such rows can be replicated across nodes before validation logic can intervene, increasing the window for inconsistent state.

In practice, this manifests as unintended privilege elevation—such as a standard user setting role to admin—or data segregation failures when tenant_id is user-supplied. Because AdonisJS may return validation errors only after attempting SQL execution, an attacker can probe field names and observe timing or error differences, aiding reconnaissance for further attacks like injection or SSRF via malformed values.

To assess this risk, scans examine whether models define fillable explicitly, whether payloads include fields not in that list, and whether server-side defaults or CockroachDB schema constraints are relied upon for protection. The presence of uncontrolled binding in combination with CockroachDB’s strictness shifts the vulnerability from simple data corruption to potential access control bypass or information leakage through error messages.

Remediation centers on strict field allowlisting and server-side value assignment. In AdonisJS, always define fillable on Lucid models and never use fillAll. Combine this with explicit extraction of values rather than relying on automatic binding for sensitive inputs.

Example: Secure model definition

import { BaseModel, column } from '@ioc:Adonis/Lucid/Orm'

export default class Tenant extends BaseModel {
  @column({ isPrimary: true })
  public id: number

  @column()
  public name: string

  @column()
  public role: 'user' | 'admin'

  @column({ serialize: false })
  public apiKey: string

  // Explicitly allow only safe fields from external input
  public static fillable = ['name', 'role']
}

Example: Controller with explicit extraction

import Tenant from 'App/Models/Tenant'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class TenantController {
  public async create({ request, response }: HttpContextContract) {
    const payload = request.only(['name', 'role'])

    // Enforce server-side defaults for non-user fields
    const tenant = Tenant.create({
      ...payload,
      // Server-controlled values
      apiKey: crypto.randomBytes(16).toString('hex'),
    })

    return response.created(tenant.serialize())
  }
}

Example: CockroachDB schema alignment

Ensure your SQL schema matches AdonisJS models to avoid implicit coercion that can be abused:

-- CockroachDB schema
CREATE TABLE tenants (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  name STRING NOT NULL,
  role STRING NOT NULL CHECK (role IN ('user', 'admin')),
  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
);

In your migration, use CockroachDB-specific types and constraints so that invalid values are rejected at the database level. This complements AdonisJS validation and reduces reliance on ORM-only protection.

Example: Server-side validation before binding

import schema from '@ioc:Adonis/Core/Validator'

export async function store({ request, response }: HttpContextContract) {
  const validated = await schema.validate({
    schema: schema.create({
      name: schema.string.optional(),
      role: schema.enum(['user', 'admin']).optional(),
    }),
    data: request.only(['name', 'role']),
  })

  const tenant = await Tenant.create({
    name: validated.name,
    role: validated.role,
  })

  return response.created(tenant)
}

This approach ensures that only permitted fields reach the model and that CockroachDB receives values consistent with its constraints, minimizing the attack surface for mass assignment.