Sql Injection in Feathersjs with Basic Auth

SQL Injection in a Feathers.js service that uses Basic Authentication can occur when user-controlled input from authentication headers or request parameters is directly interpolated into database queries. Feathers.js is a framework that favors JavaScript data services, often integrating with databases via adapters such as Sequelize or Knex. If a developer constructs queries by concatenating or templating values from authentication.payload.user or from Basic Auth credentials without proper parameterization, an attacker can manipulate those values to alter query logic.

Consider a scenario where Basic Auth credentials are parsed and then used to dynamically build a WHERE clause. For example, a developer might read the username from the Basic Auth header and directly include it in a Knex query like knex('users').where('username', username). While Knex’s parameterized queries generally protect against injection, if the developer dynamically adds columns or table names based on request inputs, the protection is bypassed. An attacker can supply a crafted username such as ' OR 1=1 -- and, depending on how the query is assembled, potentially bypass authentication or extract other users’ data.

Another vector involves service parameters. Feathers allows hooks to modify query parameters. If a hook merges user data from the Basic Auth payload into the query params object without validation, and the underlying adapter builds unsafe SQL, injection becomes feasible. For instance, merging params.query = { $or: [ { username: authUser }, { raw: injected } ] } can lead to unintended behavior when the adapter translates JavaScript expressions into SQL. Additionally, if the API exposes an endpoint that accepts an ID for a lookup and that ID is derived from or influenced by authenticated identity, an attacker may attempt SQL injection through that input path, especially when input validation is weak.

Even when using an ORM, misconfiguration can expose risks. If the ORM is set to raw mode for performance and developers pass concatenated strings instead of parameterized bindings, SQL Injection can manifest. The combination of Basic Auth (where credentials are often handled with custom logic) and dynamic query building increases the attack surface. This is particularly relevant when endpoints return sensitive data and rely on authentication to scope records; a successful injection can subvert scoping and expose or modify data across users.

Real-world attack patterns mirror classic OWASP API Top 10 A03:2021 broken object level authorization when combined with injection. For example, an attacker might send a crafted request with Basic Auth credentials and a malicious query fragment to enumerate valid users or dump table contents. Because Feathers services often expose REST-like endpoints with minimal query validation by default, the framework does not inherently protect against these injection techniques. Therefore, developers must treat inputs from authentication headers and authenticated identities as untrusted and apply strict parameterization and validation.

To mitigate SQL Injection when using Basic Authentication in Feathers.js, ensure that all data derived from authentication or user input is never directly interpolated into SQL strings. Use parameterized queries or ORM methods that enforce binding, and validate and sanitize all inputs. Below are concrete remediation steps with code examples.

1. Use Knex with parameterized queries

Always use Knex’s query builder with bound values. Do not concatenate user input into raw SQL.

// Safe: using Knex with parameterized values
const { username } = authentication.payload.user;
const users = await app.service('users').Model.query(qb => {
  qb.where('username', username);
}).fetch();

2. Validate and sanitize Basic Auth payloads in hooks

Use Feathers hooks to validate inputs derived from authentication before they reach the service. Reject malformed inputs early.

// Feathers hook to validate authentication-derived input
const validateInput = context => {
  const { username } = context.params.query;
  if (typeof username !== 'string' || !/^[a-zA-Z0-9_]{3,30}$/.test(username)) {
    throw new Error('Invalid username');
  }
  return context;
};

app.service('users').hooks({
  before: {
    find: [validateInput],
    get: [validateInput]
  }
});

3. Avoid dynamic SQL and use ORM safely

If using an ORM like Sequelize, prefer defined scopes and avoid raw queries with concatenation. If raw queries are necessary, use bind parameters.

// Sequelize safe usage with defined scopes
const users = await app.service('users').Model.scope('activeUsers').findAll({
  where: { username: authentication.payload.user.username }
});

4. Explicitly parse and restrict Basic Auth credentials

Do not trust the contents of the Authorization header beyond minimal verification. Extract credentials safely and avoid using them in query construction.

// Example of safe Basic Auth extraction in a hook
const basicAuthParser = context => {
  const authHeader = context.params.headers.authorization || '';
  if (authHeader.startsWith('Basic ')) {
    const base64 = authHeader.split(' ')[1];
    const decoded = Buffer.from(base64, 'base64').toString('utf-8');
    const [user, pass] = decoded.split(':');
    // Minimal validation: ensure both parts exist
    if (user && pass) {
      context.params.authenticatedUser = { username: user };
    }
  }
  return context;
};

app.hooks.before.push(basicAuthParser);

5. Apply global input validation and output encoding

Use consistent validation libraries and ensure that outputs are encoded based on context to prevent any injected payloads from being interpreted as code or SQL.

// Using a validation library in a hook
const Ajv = require('ajv');
const ajv = new Ajv();
const validate = ajv.compile({
  type: 'object',
  properties: {
    id: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }
  },
  required: ['id']
});

const inputValidator = context => {
  const valid = validate(context.params.query);
  if (!valid) {
    throw new Error('Invalid input');
  }
  return context;
};

6. Enforce least privilege and scope queries by authenticated user

Ensure that queries automatically scope to the authenticated identity without relying on client-provided filters that can be tampered with.

// Scoping by authenticated user in a find hook
const scopeByUser = context => {
  const username = context.params.authenticatedUser?.username;
  if (username) {
    context.params.query = context.params.query || {};
    context.params.query.username = username;
  }
  return context;
};

7. Use the middleBrick CLI to scan for SQL Injection risks

Regularly scan your Feathers endpoints with the middleBrick CLI to detect SQL Injection and related issues. The tool runs black-box checks and provides prioritized findings with remediation guidance.

# Scan an API endpoint from the terminal
middlebrick scan https://api.example.com