How does it help with OWASP compliance?

It specifically targets the A01:2021 — Broken Access Control category by ensuring developers implement strict whitelisting for input data, a key requirement for preventing unauthorized object modification.

Which PHP frameworks does this skill support?

While specifically optimized for Laravel (Eloquent) and Doctrine, it can detect generic PHP patterns involving array merges, constructor spreads, and dynamic method calls used for data binding.

What is a mass assignment vulnerability?

It is a security flaw where an application takes user-provided data (like a JSON body) and applies it to an internal object or database model without proper filtering, potentially allowing attackers to modify protected fields like 'is_admin' or 'balance'.

Can it suggest fixes for the vulnerabilities it finds?

Yes, the skill provides specific 'CORRECT' code patterns, such as using $request->only() or explicit DTO mapping, to replace vulnerable implementations found during the scan.

PHP Mass Assignment Security Checker

Name: PHP Mass Assignment Security Checker
Author: dykyi-roman

bydykyi-roman

•

セキュリティとテスト

Audits PHP and Laravel codebases to identify and remediate mass assignment security vulnerabilities.

This skill enhances Claude's ability to perform security audits on PHP applications, specifically targeting mass assignment vulnerabilities categorized under OWASP A01:2021. It scans for dangerous patterns like passing raw request data directly into model creation, missing fillable/guarded attribute definitions in Laravel models, and insecure use of array spreads or dynamic setters. By automating the detection of CWE-915 flaws, it helps developers implement robust whitelisting and explicit data mapping patterns to prevent unauthorized attribute modification and privilege escalation.

主な機能

01Detects Request::all() usage in Eloquent create and update methods

0245 GitHub stars

03Audits Doctrine entities for vulnerable public setters and dynamic reflection-based updates

04Provides standardized severity classifications and remediation code examples

05Identifies missing or insecure $fillable and $guarded properties in models

06Flags dangerous array spreads and array_merge operations with unvalidated input

ユースケース

01Conducting security audits on Laravel applications to find Broken Access Control issues

02Hardening API endpoints against unauthorized parameter injection and data tampering

03Automating code reviews to ensure new models follow attribute whitelisting best practices

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-mass-assignment

For use in Claude.ai and ChatGPT

Download Skill