Path Traversal in Cockroachdb

Path Traversal in CockroachDB exploits file system operations exposed through SQL commands or HTTP endpoints, allowing attackers to read or write files outside intended directories. CockroachDB's distributed nature and SQL compatibility introduce specific attack surfaces.

Attack Vectors:

• COPY/IMPORT/EXPORT Commands: User-supplied file paths in COPY TO/FROM, IMPORT, or EXPORT can include traversal sequences (e.g., ../../../etc/passwd). Example: COPY TO '/var/lib/cockroachdb/../../../../etc/shadow'.
• BACKUP/RESTORE: Paths in BACKUP TO or RESTORE FROM may be manipulated to access sensitive system files or overwrite critical data.
• User-Defined Functions (UDFs): UDFs using crdb_internal or pg_catalog functions like pg_read_file can read arbitrary files if input isn't validated. CVE-2020-26197 demonstrated this via crdb_internal.read_file.
• HTTP Admin API: Endpoints like /_admin/v1/logs or /_admin/v1/debug that accept file paths as parameters are vulnerable if traversal sequences aren't blocked.

CockroachDB-Specific Nuance: In a distributed cluster, file paths resolve on individual nodes. An attacker might target node-specific files (e.g., /proc/self/environ) to extract environment variables containing credentials. The following query demonstrates a UDF-based attack:

SELECT crdb_internal.read_file('../../../etc/cockroach/certs/node.crt');

Detecting Path Traversal in CockroachDB requires testing both SQL interfaces and HTTP endpoints. middleBrick's Input Validation check (one of its 12 parallel scans) automates this by sending payloads with traversal sequences (../, ..%2f, double encoding) to API parameters that accept file paths.

Scanning with middleBrick:

• For HTTP APIs (e.g., CockroachDB's Admin UI or custom REST layers), submit the endpoint URL to middleBrick. It probes parameters like file, path, or log_file with payloads such as ../../../etc/passwd.
• For OpenAPI/Swagger specs, middleBrick resolves $ref and identifies parameters named filename, directory, etc., then tests them at runtime.

Example scan command:

middlebrick scan https://your-cockroachdb-cluster.example.com:8080

A typical finding in the middleBrick report includes:

middleBrick scores this under Input Validation (severity: High) and maps it to OWASP API Top 10 A01:2023 – Broken Object Level Authorization and PCI-DSS 6.5.1.

Remediation combines CockroachDB configuration, SQL best practices, and application-layer validation. middleBrick's reports provide prioritized guidance, but key fixes include:

1. Restrict Dangerous Functions: Disable crdb_internal and pg_catalog file-access functions in production. In cockroach.start settings or via SQL:

SET disable_crdb_internal = true;

2. Validate and Canonicalize Paths: In application code (e.g., Go services using lib/pq), sanitize any user-supplied file paths:

import "path/filepath"

func safeBackupPath(userInput string) (string, error) {
    cleaned := filepath.Clean(userInput)
    if strings.HasPrefix(cleaned, "/var/lib/cockroachdb/backups/") {
        return cleaned, nil
    }
    return "", errors.New("invalid backup path")
}

3. Use Parameterized Queries for File Operations: Avoid concatenating user input into COPY or BACKUP commands. Instead, use allowlisted directories:

// Safe: hardcoded base path with parameterized filename
_, err := db.Exec("BACKUP TO '/var/lib/cockroachdb/backups/' || $1", backupName)

4. Harden HTTP Endpoints: If exposing Admin API, use reverse proxies (e.g., nginx) to restrict access to internal networks and validate query parameters. CockroachDB's built-in HTTP server should be disabled in production (--http-addr=disabled).

5. Principle of Least Privilege: Run CockroachDB nodes under dedicated OS users with minimal filesystem permissions, limiting impact of a traversal exploit.