Prototype Pollution in Actix with Api Keys

Prototype pollution in Actix applications that rely on API keys for access control can arise when user-supplied input is merged into configuration objects or request extensions that later influence behavior. In JavaScript-based Actix services (or Node.js addons used within Actix), if an endpoint copies properties from a request query or body into a shared prototype or configuration map, an attacker can provide a crafted key such as __proto__[polluted] or constructor.prototype[admin]. These keys are interpreted by the JavaScript engine as prototype mutations, affecting all subsequent object instantiations. When API keys are used to gate authorization checks, pollution of objects like req.extensions or middleware context can change which key is considered valid, effectively bypassing intended access restrictions.

Consider an Actix middleware that stores API key metadata on the request extensions for later validation. If the code does not defensively copy or validate incoming JSON, an attacker can submit a JSON payload with a property named __proto__ containing malicious fields. During object merging, these fields can propagate to the prototype of shared objects, enabling property injection attacks. For example, an API key validation routine that iterates over Object.keys(req.extensions.scopes) may inadvertently include polluted properties, granting unintended scopes. This is especially dangerous when the application serializes objects or uses JSON.stringify on prototypes, as polluted values may be persisted or reflected back to clients.

In the context of API keys, prototype pollution can lead to privilege escalation, data exposure, or unauthorized function execution. An attacker who modifies the prototype of objects used for routing or middleware matching might cause an API key intended for read-only access to be treated as having administrative rights. Because Actix endpoints often rely on shared state across requests, a single successful pollution can affect multiple users. The vulnerability is compounded when OpenAPI/Swagger specifications are generated from polluted prototypes, as definitions may diverge from runtime behavior, causing security checks to miss misconfigurations. middleBrick’s 12 security checks, including Property Authorization and Input Validation, are designed to detect such inconsistencies between spec definitions and runtime behavior, helping identify prototype pollution paths that intersect with API key handling.

To mitigate prototype pollution in Actix services that use API keys, ensure that all user input is validated and that object merging is performed safely. Avoid using untrusted properties as keys in objects that are later used for authorization. Below are concrete code examples demonstrating secure handling of API keys in Actix applications.

Example 1: Safe API key extraction and validation

Instead of merging raw query parameters into request extensions, explicitly extract and validate the API key:

use actix_web::{web, HttpRequest, Error};

fn extract_api_key(req: &HttpRequest) -> Result {
    let key = req.query_string()
        .split('&')
        .find_map(|param| {
            let mut parts = param.split('=');
            if parts.next()? == "api_key" {
                Some(parts.next()?.to_string())
            } else {
                None
            }
        })
        .ok_or_else(|| actix_web::error::ErrorBadRequest("Missing api_key"))?;

    // Validate format to prevent injection
    if !key.chars().all(|c| c.is_alphanumeric() || c == '-' || c == '_') {
        return Err(actix_web::error::ErrorBadRequest("Invalid api_key format"));
    }
    Ok(key)
}

Example 2: Defensive object extension without prototype pollution

When storing API key metadata, use a plain struct or a map that does not rely on prototype chain lookups:

use actix_web::{dev::ServiceRequest, Error};
use std::collections::HashMap;

struct ApiKeyContext {
    key: String,
    scopes: Vec,
}

fn attach_api_key(req: ServiceRequest) -> Result {
    let api_key = extract_api_key(&req)?;
    let context = ApiKeyContext {
        key: api_key,
        scopes: vec!["read".to_string()],
    };
    // Store in request extensions as a concrete type, not a prototype-mutable object
    req.extensions_mut().insert(context);
    Ok(req)
}

Example 3: Input sanitization for JSON bodies

If your Actix endpoint accepts JSON, reject or sanitize properties that could modify prototypes:

use actix_web::web::Json;
use serde_json::Value;

async fn handle_body(Json(payload): Json) -> &'static str {
    // Reject inputs containing dangerous keys
    if payload.as_object().map_or(false, |obj| {
        obj.contains_key("__proto__") || obj.contains_key("constructor") || obj.contains_key("prototype")
    }) {
        return "Invalid input";
    }
    "OK"
}

These patterns ensure that API key validation and object handling remain predictable and do not rely on JavaScript prototype semantics. By combining strict input validation with explicit data structures, you reduce the risk of prototype pollution affecting authorization logic. middleBrick’s scans, including Property Authorization and Input Validation checks, can help verify that your implementation avoids these pitfalls.