Header Injection in Feathersjs with Cockroachdb
Header Injection in Feathersjs with Cockroachdb — how this specific combination creates or exposes the vulnerability
Header Injection in a Feathersjs service that uses Cockroachdb typically arises when user-controlled data is reflected into HTTP response headers without validation or encoding. Feathersjs is a framework that favors a service-oriented architecture; developers often add custom headers for tracing, correlation, or business logic, and these values may be sourced from request parameters, query strings, or payload fields that ultimately reach Cockroachdb.
Because Feathersjs can expose REST and WebSocket transports, an attacker may supply crafted header values (e.g., x-request-id, x-correlation-id, or custom authentication tokens) that the service passes to downstream logic. When these values are concatenated into SQL statements or used to influence behavior before a Cockroachdb query, injection or header smuggling can occur. For example, a developer might write a hook that reads req.headers['x-user-context'] and passes it into a Cockroachdb SELECT or DML statement without sanitization, enabling header injection–style attacks such as response splitting or metadata manipulation.
The interaction with Cockroachdb matters because Cockroachdb adheres to PostgreSQL wire protocol semantics; values injected into header-driven query construction can break statement boundaries, especially when dynamic SQL is built via string concatenation or poorly parameterized templates. This can lead to unauthorized header injection, cache poisoning, or information leakage through manipulated response headers. Even though Cockroachdb itself does not interpret header values, the application layer misuse of headers to build queries or influence routing creates a security boundary violation.
Consider a Featherjs service that builds a SQL string using a header value:
// Risky: header value directly interpolated into SQL
app.service('reports').hooks({
before: {
find: async context => {
const tenantHeader = context.params.headers['x-tenant'];
const query = `SELECT * FROM reports WHERE tenant_id = ${tenantHeader}`;
context.result = await context.app.get('knex')('query', query);
return context;
}
}
});
An attacker can supply x-tenant: 1; DROP TABLE reports; -- to manipulate the SQL sent to Cockroachdb, demonstrating header injection’s impact on data integrity. Similarly, injecting newline characters in headers may enable HTTP response splitting if the framework or proxy reflects headers improperly, even when Cockroachdb is only used as a data store.
To mitigate, treat all header-derived inputs as untrusted. Validate and sanitize before use, prefer parameterized queries, and avoid composing SQL with string interpolation. The Feathersjs ecosystem provides hooks and middleware where such controls can be enforced consistently across services.
Cockroachdb-Specific Remediation in Feathersjs — concrete code fixes
Remediation centers on strict input validation, safe SQL composition, and disciplined use of hooks in Feathersjs. Never directly interpolate header values into SQL strings. Instead, use parameterized queries or an ORM/query builder that enforces placeholders. For Cockroachdb, ensure that values bound to prepared statements are correctly typed and constrained.
Below are concrete, safe patterns for a Feathersjs service using Cockroachdb via Knex:
// Safe: parameterized query with explicit header validation
const validTenantPattern = /^[a-zA-Z0-9_-]{1,64}$/;
app.service('reports').hooks({
before: {
find: async context => {
const tenantHeader = context.params.headers['x-tenant'];
if (!tenantHeader || !validTenantPattern.test(tenantHeader)) {
throw new Error('Invalid tenant header');
}
// Use parameterized query to prevent injection
context.result = await context.app.get('knex')('reports')
.where('tenant_id', tenantHeader);
return context;
}
}
});
If you rely on raw queries, use Knex’s query with bindings:
// Safe: raw SQL with bindings to Cockroachdb
app.service('reports').hooks({
before: {
find: async context => {
const tenantHeader = context.params.headers['x-tenant'];
if (!tenantHeader || !validTenantPattern.test(tenantHeader)) {
throw new Error('Invalid tenant header');
}
const { rows } = await context.app.get('knex')('query')('SELECT * FROM reports WHERE tenant_id = $1', [tenantHeader]);
context.result = rows;
return context;
}
}
});
For WebSocket transports, validate and sanitize header-like data from the payload, and apply the same principles:
// Safe: validating and using data from WebSocket payload
app.service('stream').hooks({
before: {
create: async context => {
const tenantHeader = context.data.tenantHeader;
if (!tenantHeader || !validTenantPattern.test(tenantHeader)) {
throw new Error('Invalid tenant header');
}
context.result = await context.app.get('knex')('events')
.where('tenant_id', tenantHeader)
.limit(100);
return context;
}
}
});
Additional remediation steps include implementing a lightweight schema validation layer for headers and payloads (e.g., using libraries that support pattern, type, and length checks), and centralizing header processing in reusable hooks to avoid duplicated logic across services. Regular scanning with tools that include LLM security checks can help detect prompt injection or leakage that may indirectly influence how headers are handled in AI-assisted development workflows.