Ssrf in Cockroachdb

Server-Side Request Forgery (SSRF) in Cockroachdb environments typically occurs when applications use database connections or Cockroachdb-specific features to make external network requests without proper validation. This vulnerability is particularly dangerous because Cockroachdb's distributed architecture and built-in HTTP interfaces can be abused to access internal services.

A common attack pattern involves exploiting Cockroachdb's IMPORT statement, which can fetch data from external URLs. An attacker might craft a query like:

IMPORT TABLE users FROM CSV DATA ('http://internal-service:8080/sensitive-data');

This allows the database to make outbound requests to internal services, potentially exposing data from the internal network that wouldn't normally be accessible from the internet.

Another manifestation occurs through Cockroachdb's Admin UI, which runs on port 8080 by default. If an application constructs URLs based on user input and passes them to database functions, an attacker could trigger requests to:

SELECT crdb_internal.http_get('http://localhost:8080/_status/vars');

This could reveal internal metrics, configuration details, or even allow access to the Admin UI if authentication is misconfigured.

Cockroachdb's BACKUP and RESTORE operations also present SSRF vectors when they involve external storage endpoints. An attacker might manipulate backup URLs to target internal services instead of legitimate cloud storage, causing the database to make unauthorized requests during these operations.

Detecting SSRF vulnerabilities in Cockroachdb requires examining both the database configuration and application code that interacts with it. Start by reviewing your Cockroachdb cluster's network configuration and identifying all endpoints that accept external connections.

For IMPORT and BACKUP/RESTORE operations, monitor the SQL audit logs for suspicious URL patterns. Cockroachdb provides the crdb_internal.http_get function for making HTTP requests, which should be carefully audited. Look for patterns like:

SELECT * FROM crdb_internal.http_gets WHERE url LIKE '%localhost%' OR url LIKE '%127.0.0.1%';
SELECT * FROM crdb_internal.http_gets WHERE url LIKE '%internal%';

These queries can reveal unauthorized internal requests.

middleBrick's SSRF scanner specifically tests Cockroachdb endpoints by attempting to access internal services through database functions. The scanner identifies vulnerable patterns by:

• Testing IMPORT statements with crafted URLs pointing to internal ports
• Attempting to access the Admin UI on port 8080
• Checking for SSRF in backup/restore operations
• Scanning for exposed crdb_internal.http_get usage

The scanner runs 12 parallel security checks, including SSRF testing, and provides a security score with detailed findings. For Cockroachdb specifically, middleBrick can detect SSRF vulnerabilities in under 15 seconds without requiring database credentials.

Enable Cockroachdb's server.http.enabled setting only when necessary, and always bind it to specific interfaces rather than 0.0.0.0. The Admin UI should be protected with authentication and, ideally, restricted to specific IP ranges.

Remediating SSRF vulnerabilities in Cockroachdb environments requires a defense-in-depth approach. Start by implementing strict network controls around your Cockroachdb clusters. Use firewall rules to restrict outbound connections from database nodes to only necessary endpoints.

For IMPORT operations, implement URL validation before executing the statement. Here's a Cockroachdb-specific approach using a stored procedure:

CREATE OR REPLACE FUNCTION safe_import_url(url TEXT) RETURNS BOOLEAN AS $$
DECLARE
  parsed_url TEXT[];
  domain TEXT;
  is_allowed BOOLEAN;
BEGIN
  -- Basic URL parsing and validation
  parsed_url := regexp_split_to_array(url, '//');
  IF array_length(parsed_url, 1) < 2 THEN
    RETURN FALSE;
  END IF;
  
  domain := split_part(parsed_url[2], '/', 1);
  
  -- Allowlist of permitted domains
  is_allowed := domain IN ('trusted-bucket.s3.amazonaws.com', 'backup.storage.com');
  
  IF NOT is_allowed THEN
    RAISE EXCEPTION 'URL not in allowlist: %', url;
    RETURN FALSE;
  END IF;
  
  RETURN TRUE;
END;
$$ LANGUAGE plpgsql;

-- Usage in application code:
-- IF safe_import_url(user_provided_url) THEN
--   IMPORT TABLE data FROM CSV DATA (user_provided_url);
-- END IF;

This function validates URLs against an allowlist before allowing IMPORT operations, preventing SSRF to internal services.

For applications using Cockroachdb's HTTP functions, implement a wrapper that validates destinations:

CREATE OR REPLACE FUNCTION safe_http_get(url TEXT) RETURNS TABLE(content TEXT, status_code INT) AS $$
DECLARE
  parsed_url TEXT[];
  domain TEXT;
  is_internal BOOLEAN;
BEGIN
  -- Check for internal IP addresses and private ranges
  parsed_url := regexp_split_to_array(url, '//');
  domain := split_part(parsed_url[2], '/', 1);
  
  -- Detect private IP ranges
  is_internal := (domain ~ '^10\.') OR 
                 (domain ~ '^172\.(1[6-9]|2[0-9]|3[0-1])\.') OR 
                 (domain ~ '^192\.168\.') OR 
                 (domain ~ '^127\.') OR 
                 (domain ~ '^169\.254\.') OR 
                 (domain ~ '^0\.0\.0\.0') OR 
                 (domain ~ '^::1') OR 
                 (domain ~ '^fc00:');
  
  IF is_internal THEN
    RAISE EXCEPTION 'Internal addresses blocked for security';
    RETURN;
  END IF;
  
  -- Proceed with HTTP request if external
  RETURN QUERY SELECT * FROM crdb_internal.http_get(url);
END;
$$ LANGUAGE plpgsql;

This wrapper prevents SSRF by blocking requests to internal IP ranges and localhost addresses.

For backup/restore operations, implement similar validation and consider using signed URLs with short expiration times for cloud storage access. This limits the window of opportunity for SSRF attacks.

Finally, integrate middleBrick's SSRF scanning into your CI/CD pipeline using the GitHub Action. This ensures that any new code introducing SSRF vulnerabilities is caught before deployment:

name: API Security Scan
on: [pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run middleBrick SSRF Scan
      run: |
        npm install -g middlebrick
        middlebrick scan https://your-cockroachdb-endpoint:26257 --output scan-results.json
    - name: Fail on high-risk findings
      run: |
        if [ $(jq '.risk_score' scan-results.json) -lt 80 ]; then
          echo "Security risk detected!"; exit 1;
        fi

This GitHub Action automatically scans your Cockroachdb endpoints on every pull request and fails the build if the security score drops below 80, preventing SSRF vulnerabilities from reaching production.