Shellshock in Fastapi with Api Keys
Shellshock in Fastapi with Api Keys — how this specific combination creates or exposes the vulnerability
Shellshock (CVE-2014-6271 and related variants) is a command injection vulnerability in the Bash shell that arises when environment variables contain maliciously crafted function definitions. In a FastAPI application that relies on API keys for access control, the risk emerges not from FastAPI itself, but from how API keys are propagated into the runtime environment and subsequently used in subprocess calls. If an API key value or a field derived from it is passed to os.environ, or to subprocess functions such as subprocess.run or subprocess.Popen, and that value contains attacker-controlled input, an attacker can inject Bash function payloads that execute arbitrary commands.
Consider a scenario where an API key is used to authorize requests and is also stored temporarily in the environment for a downstream service or for signing requests. A developer might write code like the following, intending to forward the key to an external process:
import os
import subprocess
from fastapi import FastAPI, Depends, HTTPException
app = FastAPI()
def get_api_key():
# Example key format supplied by client, e.g., via header X-API-Key
key = "abc123"
return key
@app.get("/data")
async def read_data(api_key: str = Depends(get_api_key)):
# Unsafe: embedding API key into environment for a subprocess
os.environ["CLIENT_API_KEY"] = api_key
result = subprocess.run(["curl", "https://internal.example.com/validate"], capture_output=True, text=True)
if result.returncode != 0:
raise HTTPException(status_code=500, detail="validation failed")
return {"status": "ok"}
If the API key value is attacker-controlled (e.g., via header injection or compromised client), an attacker can set it to something like () { :; }; echo vulnerable. When Bash is invoked by subprocess, it parses environment variables before the command, executing the injected function body and potentially leading to remote code execution. Even when API keys are validated against a known set, storing them in the environment and later using them in shell commands expands the attack surface. Shellshock in this context is not about breaking authentication directly via API keys; it is about unsafe interaction between trusted application inputs (including secrets) and shell execution. The combination of FastAPI endpoints that accept external input, improper handling of secrets in environment variables, and subprocess calls that invoke Bash creates exploitable conditions.
Another relevant pattern involves HTTP clients that construct shell commands for diagnostics or transformations. For example, passing an API key into a command string for tools like curl or openssl without strict input validation or use of safe subprocess interfaces can trigger the same issue. Because middleBrick scans unauthenticated attack surfaces and checks for risky patterns, it can surface such dangerous integrations by correlating findings from the Unsafe Consumption and Input Validation checks with detected use of subprocess or environment manipulation.
Api Keys-Specific Remediation in Fastapi — concrete code fixes
Remediation focuses on preventing API key values from ever reaching the shell environment and avoiding shell interpretation of any external input. The preferred approach is to avoid subprocess invocation with environment-derived secrets entirely; if unavoidable, use shell=False and pass arguments as a list without constructing shell commands. Below are concrete, secure code examples.
Secure pattern 1: Avoid environment pollution and use safe HTTP clients
import httpx
from fastapi import FastAPI, Depends, Header, HTTPException
app = FastAPI()
async def get_api_key(x_api_key: str = Header(None)):
if not x_api_key or not x_api_key.startswith("ak_"):
raise HTTPException(status_code=401, detail="Invalid API key")
return x_api_key
@app.get("/data")
async def read_data(api_key: str = Depends(get_api_key)):
async with httpx.AsyncClient() as client:
headers = {"Authorization": f"Bearer {api_key}"}
resp = await client.get("https://internal.example.com/validate", headers=headers)
resp.raise_for_status()
return {"status": "ok", "validation": resp.json()}
This pattern keeps the API key in memory and passes it safely over HTTPS without touching the environment or invoking a shell. Using typed header dependencies with basic format checks reduces injection risks.
Secure pattern 2: If subprocess is required, use shell=False and avoid environment variables
import subprocess
from fastapi import FastAPI, Depends, Header, HTTPException
app = FastAPI()
def get_api_key(x_api_key: str = Header(None)):
if not x_api_key or not x_api_key.startswith("ak_"):
raise HTTPException(status_code=401, detail="Invalid API key")
return x_api_key
@app.get("/run")
async def run_tool(api_key: str = Depends(get_api_key)):
# Safe: no shell, arguments as list, no environment injection
result = subprocess.run(
["/usr/bin/validate", "--token", api_key],
capture_output=True,
text=True,
shell=False
)
if result.returncode != 0:
raise HTTPException(status_code=500, detail="validation tool failed")
return {"stdout": result.stdout}
By using shell=False and passing arguments as a list, the API key is treated as a literal argument, not as part of a shell command string, mitigating injection and Shellshock risks. Never set os.environ with secret values if they will be read by subprocess, and avoid string interpolation when constructing commands.