Path Traversal in Loopback with Cockroachdb

Path Traversal occurs when an attacker manipulates file paths to access files outside the intended directory. In a Loopback application using Cockroachdb, this typically arises through endpoints that accept user-supplied identifiers (e.g., file names, document IDs) and use them to construct filesystem paths or to build database queries that indirectly reference filesystem resources. If user input is concatenated to a base path without strict validation or normalization, an attacker can use sequences like ../ to traverse directories and reach sensitive files such as configuration files, backups, or application source code.

When Cockroachdb is involved, the risk can compound in two ways. First, if your Loopback models define relations or references that include file paths or external keys, an attacker who can manipulate those references might traverse the filesystem to reach unintended resources. Second, if you use Cockroachdb’s file-external capabilities (for example, loading SQL files or using IMPORT statements) with paths derived from user input, a traversal payload could point to arbitrary locations on the host filesystem where the Cockroachdb process has visibility. Even when Cockroachdb itself does not directly expose file paths, an insecure Loopback controller that builds dynamic paths for logs, exports, or backups can become the vector, and Cockroachdb data may be exfiltrated or overwritten as a consequence.

Consider a Loopback controller that retrieves a report by name and streams a file from disk. A vulnerable implementation might look like this:

const path = require('path');
const fs = require('fs');

ReportController.prototype.downloadReport = function(req, res) {
  const userName = req.query.name; // e.g., "financials"
  const base = '/var/reports';
  const filePath = path.join(base, userName + '.csv');
  fs.readFile(filePath, function(err, data) {
    if (err) return res.status(404).send('Not found');
    res.set('Content-Type', 'text/csv');
    res.send(data);
  });
};

An attacker supplying ?name=../../../etc/passwd can cause filePath to resolve outside /var/reports. If the Loopback app runs with database credentials or environment variables that include Cockroachdb connection strings, those could be exposed. Moreover, if the reports directory contains exported Cockroachdb data, an attacker can read sensitive dataset contents. The same pattern can appear in backup or migration scripts that reference Cockroachdb dump files using user-controlled identifiers.

To detect this using middleBrick, you can scan your Loopback endpoint with the CLI: middlebrick scan <url>. The scan runs 12 checks in parallel, including Input Validation and Unsafe Consumption, and will flag path traversal indicators such as directory traversal sequences in URL parameters or missing path sanitization. The resulting report includes severity-ranked findings with remediation guidance and maps to frameworks like OWASP API Top 10 and PCI-DSS, helping you prioritize fixes without requiring internal architecture details or credentials.

Secure Loopback endpoints that interact with files or external resources by strictly validating and isolating user input. Do not concatenate user input into filesystem paths. Instead, use allowlists, canonicalization, and scoped directories. For Cockroachdb-related workflows, ensure that any file operations (IMPORT, backup scripts, or log exports) use fixed paths or server-side configuration rather than dynamic user input.

1. Use a fixed allowlist of report names and resolve paths server-side:

const path = require('path');
const fs = require('fs');

const ALLOWED_REPORTS = ['daily_sales', 'monthly_summary', 'audit_log'];

ReportController.prototype.downloadReport = function(req, res) {
  const userName = req.query.name;
  if (!ALLOWED_REPORTS.includes(userName)) {
    return res.status(400).send('Invalid report');
  }
  const base = '/var/reports';
  const filePath = path.join(base, userName + '.csv');
  // Ensure the resolved path remains inside base
  if (!filePath.startsWith(path.resolve(base))) {
    return res.status(403).send('Forbidden');
  }
  fs.readFile(filePath, function(err, data) {
    if (err) return res.status(404).send('Not found');
    res.set('Content-Type', 'text/csv');
    res.send(data);
  });
};

2. For Cockroachdb IMPORT or backup operations, avoid dynamic filenames from users. Use predefined configuration and environment-controlled paths:
const { Client } = require('pg'); // node-postgres works with Cockroachdb

async function runBackup(req, res) {
  const client = new Client({
    connectionString: process.env.COCKROACHDB_URI,
  });
  await client.connect();
  // Use a fixed, server-side path; do not interpolate user input into file paths
  const backupFile = '/backups/cockroachdb_prod.sql';
  const { execFile } = require('child_process');
  execFile('cockroach', ['sql', '--execute', 'BACKUP TO $1', backupFile],
    { env: { COCKROACHDB_URI: process.env.COCKROACHDB_URI } },
    (error) => {
      if (error) return res.status(500).send('Backup failed');
      res.download(backupFile, 'cockroachdb_backup.sql');
    }
  );
}

3. In Loopback models, avoid storing or resolving external file paths in database fields. If you must reference files, store a key or identifier and map it to a server-side path map:
const PATH_MAP = {
  report_a: '/data/reports/report_a.csv',
  report_b: '/data/reports/report_b.csv',
};

ReportController.prototype.getReportPath = function(req, res) {
  const key = req.query.key;
  const filePath = PATH_MAP[key];
  if (!filePath) return res.status(400).send('Invalid key');
  fs.readFile(filePath, function(err, data) {
    if (err) return res.status(404).send('Not found');
    res.send(data);
  });
};

middleBrick can support this remediation workflow by scanning your Loopback endpoints for path traversal indicators and insecure handling of user-controlled paths. Run middlebrick scan <url> to get a per-category breakdown including Input Validation and BFLA/Privilege Escalation findings, with prioritized remediation guidance. If you use the Pro plan, you can enable continuous monitoring so that regressions are caught early, and with the GitHub Action you can fail builds when a scan drops below your chosen threshold.