Injection Flaws in Fastapi with Api Keys
Injection Flaws in Fastapi with Api Keys — how this specific combination creates or exposes the vulnerability
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. In FastAPI applications that rely on API keys for access control, injection risks can emerge at three tightly coupled dimensions: the API key itself, the routing and parameter handling in FastAPI, and the downstream services or configurations the key enables.
First, consider API keys as data. If an API key is accepted via query parameters, headers, or cookies and then used to dynamically select a backend, tenant, or configuration, an attacker may attempt to break out of the expected value space. For example, an endpoint like /users/{user_id} that also accepts an X-API-Key header can become vulnerable if the server uses the key to look up a database connection string and the key is reflected in logs or error messages in an uncontrolled way. This can lead to information disclosure or, in more complex scenarios, enable injection into the lookup logic if the key is not strictly validated.
Second, FastAPI’s dependency injection system and path operation decorators can inadvertently expose injection surfaces if developers compose dynamic routes or dependencies using unchecked input. Suppose a dependency retrieves a tenant ID from the API key and uses string concatenation to form a database query or a request to another service. An attacker who can influence the API key or the parameters derived from it may attempt to inject malicious syntax such as SQL fragments, command segments, or maliciously crafted paths. Because FastAPI resolves dependencies automatically, unsafe use of Depends with user-controlled data can propagate tainted values into business logic.
Third, injection flaws are not limited to SQL or shell commands. When API keys are used to gate access to features that serialize user input or construct system commands, the combination can lead to server-side request forgery (SSRF), template injection, or command injection if the key’s associated permissions allow broader network access. For instance, an API key with elevated scopes might allow an attacker to induce the server to fetch internal metadata services (e.g., http://169.254.169.254) if input validation is weak. The interplay between authentication via API keys and unchecked parameter usage is where injection flaws manifest in FastAPI, often detectable through the framework’s OpenAPI/Swagger spec analysis combined with runtime testing.
Api Keys-Specific Remediation in Fastapi — concrete code fixes
Mitigating injection flaws when using API keys in FastAPI requires strict validation, controlled data flow, and safe composition of dependencies. Below are concrete, secure code examples that address common patterns.
1. Validate and restrict API key format
Do not accept arbitrary strings as API keys. Enforce a strict pattern using Pydantic or explicit checks before using the key for routing or configuration lookups.
from fastapi import FastAPI, Header, HTTPException, Depends
import re
app = FastAPI()
API_KEY_PATTERN = re.compile(r"^[A-Za-z0-9\-_=]+\.[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_=]*$")
def validate_api_key(x_api_key: str = Header(...)):
if not API_KEY_PATTERN.match(x_api_key):
raise HTTPException(status_code=401, detail="Invalid API key format")
return x_api_key
@app.get("/items")
async def read_items(api_key: str = Depends(validate_api_key)):
# Safe: api_key has been validated against a strict pattern
return {"message": "ok", "key_truncated": api_key[:4] + "****"}
2. Avoid dynamic query or configuration assembly using raw API key values
Never concatenate API key values into SQL strings or shell commands. Use parameterized queries and structured configuration lookups instead.
import sqlite3
from fastapi import FastAPI, Header, Depends
app = FastAPI()
def get_db_connection(api_key: str = Header(...)):
# Example: map key to a tenant-safe connection string without string interpolation
allowed_keys = {"tenantA": "tenant_a.db", "tenantB": "tenant_b.db"}
if api_key not in allowed_keys:
raise ValueError("Unauthorized")
conn = sqlite3.connect(allowed_keys[api_key])
return conn
@app.get("/users/{user_id}")
async def get_user(user_id: int, conn = Depends(get_db_connection)):
# Safe: using parameterized query
cursor = conn.cursor()
cursor.execute("SELECT name, email FROM users WHERE id = ?", (user_id,))
row = cursor.fetchone()
if row is None:
raise HTTPException(status_code=404, detail="User not found")
return {"id": user_id, "name": row[0], "email": row[1]}
3. Use dependency injection safely with explicit scopes
Design dependencies to receive validated, scoped values rather than raw keys. This reduces the surface for injection and makes the data flow explicit.
from fastapi import FastAPI, Depends, Security
from pydantic import BaseModel
app = FastAPI()
class ScopedKey(BaseModel):
tenant_id: str
permissions: list[str]
def get_scoped_key(x_api_key: str = Security(validate_api_key)):
# Perform mapping and validation once
mapping = {
"key_tenantA": ScopedKey(tenant_id="A", permissions=["read"]),
"key_tenantB": ScopedKey(tenant_id="B", permissions=["read", "write"]),
}
if x_api_key not in mapping:
raise HTTPException(status_code=403, detail="Insufficient permissions")
return mapping[x_api_key]
@app.get("/secure-data")
async def get_secure(scoped_key: ScopedKey = Depends(get_scoped_key)):
# Safe: scoped_key is already validated and contains expected fields
return {"tenant": scoped_key.tenant_id, "perms": scoped_key.permissions}
These examples emphasize strict validation, avoiding dynamic composition with untrusted values, and explicit scoping to reduce injection risk when API keys are used in FastAPI applications.