Server Side Template Injection in Axum with Mongodb
Server Side Template Injection in Axum with Mongodb — how this specific combination creates or exposes the vulnerability
Server Side Template Injection (SSTI) occurs when an attacker can inject template code that is later evaluated by a server-side templating engine. In an Axum application using a templating engine such as Askama or Tera, user-controlled input that reaches a template without proper sanitization can lead to arbitrary code execution within the rendering context. When the rendered output interacts with a Mongodb backend—such as dynamically building queries, constructing collection names, or passing user data into aggregation pipelines—the impact can extend beyond reflected or stored content manipulation to unauthorized database operations.
Consider an endpoint that accepts a collection_suffix parameter to select a Mongodb collection for reporting. If the route handler passes this parameter into a template that then renders a string used at runtime to select a collection, an attacker might inject template logic to alter control flow or leak environment variables. Axum does not introduce a templating engine by default; the risk arises when developers integrate a template engine and inadvertently allow untrusted input to influence template evaluation or downstream data handling. Because Mongodb operations often rely on dynamic keys or constructed pipelines, injected template fragments can modify query structure, bypass intended filters, or trigger verbose error messages that reveal internal schema details.
In a real scenario, an SSTI payload might attempt to access Mongodb connection information through the template context or manipulate the data sent to mongodb::Database methods. For example, if a template uses variable interpolation to build a database name, an attacker could traverse namespace boundaries or probe for misconfigured access controls. Axum’s extractor patterns and state management do not inherently protect against logic abuse in templates; the framework relies on the developer to validate and sanitize inputs before they reach any rendering or database layer. Therefore, the combination of dynamic template evaluation and flexible Mongodb query construction creates a path for attackers to influence server-side behavior beyond simple output manipulation.
Mongodb-Specific Remediation in Axum — concrete code fixes
To mitigate SSTI risks in an Axum application that uses Mongodb, ensure user input never reaches the template engine or database construction logic. Validate and restrict all dynamic identifiers, and prefer static mapping over runtime string assembly. Below are concrete patterns and code examples tailored for Axum with Mongodb.
1. Avoid dynamic collection names via user input
Do not allow raw user input to determine collection names. Use an allowlist to map logical names to known collections.
use axum::{routing::get, Router};
use mongodb::{Client, Collection};
use std::sync::Arc;
struct AppState {
collections: std::collections::HashMap>,
}
async fn get_report(
State(state): State>,
Query(params): Query,
) -> Result {
let collection = state.collections.get(¶ms.report_type)
.ok_or_else(|| (StatusCode::BAD_REQUEST, "Invalid report type".into()))?;
// Safe: using a pre-validated collection reference
let cursor = collection.find(None, None).await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
let docs: Vec<_> = cursor.try_collect().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
Ok(Json(docs))
}
#[derive(Deserialize)]
struct ReportParams {
report_type: String,
}
// Initialization: populate allowed collections at startup
async fn init_state(client: Client) -> Arc {
let db = client.database("audit_db");
let mut map = std::collections::HashMap::new();
map.insert("daily".into(), db.collection("daily_events"));
map.insert("weekly".into(), db.collection("weekly_events"));
Arc::new(AppState { collections: map })
} 2. Use typed queries instead of template-driven pipeline assembly
When working with aggregation pipelines, build stages programmatically using the Mongodb driver’s builders rather than interpolating user input into raw BSON or JSON strings.
use mongodb::{bson::{doc, Document}, options::FindOptions};
async fn safe_aggregate(
collection: &Collection,
user_role: &str,
) -> Result, mongodb::error::Error> {
let match_stage = doc! {
"$match": {
"role": user_role
}
};
let project_stage = doc! {
"$project": {
"name": 1,
"email": 1,
"_id": 0
}
};
let cursor = collection.aggregate(vec![match_stage, project_stage], None).await?;
cursor.try_collect().await
} 3. Harden template usage and context exposure
If you use a template engine, ensure the context passed to the template contains only non-sensitive, serializable data. Do not expose database handles or raw configuration objects.
use askama::Template;
#[derive(Template)]
#[template(path = "report.html")]
struct ReportTemplate<'a> {
title: &'a str,
entries: Vec,
}
// In handler: construct a clean context from validated sources
async fn render_report() -> Result {
let data = vec!["item1".into(), "item2".into()];
Ok(ReportTemplate {
title: "Daily Summary",
entries: data,
})
} 4. Validate and sanitize all inputs before any rendering or database use
Apply strict allowlist validation for identifiers and avoid concatenating strings to form database references. Use Axum extractors to enforce structure and reject malformed input early.
use axum::extract::Query;
use serde::Deserialize;
use validator::Validate;
#[derive(Deserialize, Validate)]
struct SafeQuery {
#[validate(length(min = 1, max = 32, alphanumeric = true))]
filter_key: String,
}
async fn filtered_search(
Query(params): Query,
collection: Collection,
) -> Result {
// params.filter_key is guaranteed alphanumeric and within length limits
let cursor = collection
.find(doc! { ¶ms.filter_key: true }, None)
.await
.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
let results: Vec<_> = cursor.try_collect().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
Ok(Json(results))
}