Email Injection in Fastapi with Cockroachdb

Email injection occurs when user-controlled input is concatenated into email headers or commands without validation, enabling attackers to inject additional headers such as CC, BCC, or forged sender addresses. In a Fastapi application using Cockroachdb as the backend, the risk emerges at the intersection of three components: the web framework, the database layer, and the email-sending logic.

Fastapi does not inherently sanitize data passed from request bodies to downstream handlers. If a developer builds an endpoint that stores user data in Cockroachdb and later uses fields like email or username in email operations, unsanitized inputs can propagate to the mail subsystem. Cockroachdb, being a PostgreSQL-compatible database, does not perform email validation; it stores whatever is sent in SQL statements. Therefore, if a query is constructed via string interpolation or an ORM layer that does not enforce strict parameterization, attacker-controlled data can influence how emails are built or logged.

Consider a user registration flow where the client sends JSON containing an email address. A vulnerable Fastapi route might insert the value directly into a SQL string and later use the same field in an SMTP client call. An attacker submitting a payload such as email: test@example.com\r\nCC: attacker@malicious.com can extend the header chain if the downstream mail library interprets newline sequences. Even if the database stores the raw value safely via parameterized queries, the exposure occurs when the application reads the stored value and passes it to an email library that does not enforce header separation.

The 12 security checks in middleBrick test this unauthenticated attack surface in parallel, including Input Validation and Unsafe Consumption, to detect patterns where email fields may be used in command or header construction. The scanner does not assume a specific database technology; it observes runtime behavior and spec definitions to highlight risks such as missing sanitization on fields that later participate in email workflows. Because Fastapi routes often map database columns directly to API responses, an OpenAPI/Swagger spec that includes email properties without format constraints can increase the likelihood of unsafe data usage across layers.

Real-world attack patterns relevant to this stack include header smuggling via carriage return and line feed (CRLF) sequences, which can bypass naive filtering. MiddleBrick references established standards such as OWASP API Top 10 and maps findings to compliance frameworks, noting that email injection can facilitate phishing or log forging even when the database itself remains consistent and isolated.

Remediation centers on strict input validation, safe database interactions, and disciplined email handling. In Fastapi, use Pydantic models to enforce type and format constraints before data reaches the database or email logic. For Cockroachdb, always use parameterized SQL or an ORM that generates placeholders, avoiding string concatenation for queries.

Below are concrete code examples for a Fastapi endpoint that registers a user and stores an email in Cockroachdb safely.

from fastapi import Fastapi, HTTPException
from pydantic import BaseModel, EmailStr
import asyncpg
import re

app = Fastapi()

# Connection pool established elsewhere
# pool = asyncpg.create_pool(...)

class UserCreate(BaseModel):
    email: EmailStr
    username: str

async def get_pool():
    # Assume this returns a configured asyncpg pool
    pass

@app.post("/users/")
async def create_user(user: UserCreate):
    # Validate email format early using EmailStr
    # Additional allowlist for local-part if required
    if not re.match(r'^[^\s@]+@[^\s@]+$', user.email):
        raise HTTPException(status_code=400, detail="Invalid email format")

    pool = await get_pool()
    async with pool.acquire() as conn:
        # Parameterized query prevents SQL injection and keeps data clean
        await conn.execute(
            "INSERT INTO users (email, username) VALUES ($1, $2)",
            user.email,
            user.username
        )
    return {"status": "created", "email": user.email}

In this example, EmailStr ensures basic email format compliance, and the regex provides an additional allowlist to reject unexpected newline characters that could be used for injection. The Cockroachdb query uses $1 and $2 placeholders, which asyncpg translates into safe parameterization, preventing injected SQL or command fragments from altering query intent.

When generating emails, reference the stored value directly from the validated model rather than re-reading raw input. If integrating with an SMTP client, ensure the library is configured to treat headers as immutable and avoid concatenating user-controlled strings into header lines. MiddleBrick’s CLI can be used to scan this route with the command middlebrick scan <url> to verify that no unsafe patterns remain in the runtime behavior or the OpenAPI spec.

For continuous assurance, the Pro plan supports continuous monitoring and CI/CD integration, allowing you to fail builds if security scores degrade. The GitHub Action can validate that new changes do not reintroduce unsafe handling of email fields, while the MCP Server enables scanning directly from AI coding assistants to catch issues during development.