Ssrf in Adonisjs with Cockroachdb

Server-Side Request Forgery (SSRF) in AdonisJS when interacting with CockroachDB arises when an application accepts a user-supplied URL or host and uses it to form database connection strings or HTTP-based administrative endpoints. AdonisJS encourages explicit configuration, but if a developer dynamically builds a CockroachDB connection URL from unchecked input (e.g., request query or body), an attacker can pivot the outbound HTTP requests made by the database driver or associated tooling to internal services.

CockroachDB exposes an HTTP SQL UI (by default on :8080) and administrative endpoints for nodes and databases. If AdonisJS code uses a user-controlled hostname or port to construct a CockroachDB connection string, the SSRF vector can extend beyond outbound HTTP calls from the application to include reconnaissance of the database control plane. For example, an attacker-supplied hostname like http://localhost:8080 or http://metadata.google.internal can cause the application or its operators to inadvertently expose internal services. The risk is compounded when AdonisJS jobs or scheduled tasks resolve and connect to these dynamically provided endpoints, enabling internal service enumeration or data exposure through crafted responses that are consumed by the application or its infrastructure tooling.

Because AdonisJS often uses environment-based configuration, a common pattern is to read DB_HOST, DB_PORT, and similar variables. If these are overridden at runtime via user input (e.g., through a settings endpoint or CI job URL), the application may establish connections to attacker-controlled listeners or internal CockroachDB nodes. Even when the primary database queries are parameterized, the connection phase and administrative introspection remain vulnerable if host/port are not strictly validated. The SSRF here is not merely about data exfiltration from the application but about leveraging the database’s HTTP interfaces to scan or interact with internal infrastructure that the database process can reach.

Remediation centers on strict validation of any user input that influences database connectivity, avoiding dynamic composition of connection URIs, and isolating administrative endpoints from application code paths. Below are concrete, CockroachDB-specific fixes for AdonisJS.

1. Hardcode or securely parameterize CockroachDB connection details

Define the connection string in environment files (.env) and never concatenate user input into it. Use AdonisJS’s built-in config for the CockroachDB connection.

// config/database.ts
import { Env } from '@ioc:Adonis/Core/Env'

export default {
  connection: 'cockroachdb',
  connections: {
    cockroachdb: {
      client: 'cockroachdb',
      connection: {
        host: Env.get('DB_HOST', 'localhost'),
        port: Env.get('DB_PORT', '26257'),
        user: Env.get('DB_USER', 'root'),
        password: Env.get('DB_PASSWORD', ''),
        database: Env.get('DB_NAME', 'postgres'),
        // Do not build the URL from user input
        url: undefined
      },
      debug: false,
    },
  },
}

2. Validate and restrict allowed hosts for CockroachDB endpoints

If you must accept a target host (e.g., for multi-tenant routing), enforce an allowlist and reject any host that resolves to private IP ranges or localhost.

// app/Validators/CockroachConnectionValidator.ts
import { schema } from '@ioc:Adonis/Core/Validator'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class CockroachConnectionValidator {
  public schema = schema.create({
    host: schema.string({}, [
      // Only allow specific production hostnames
      schema.validator('regex', { pattern: /^(?:db|crdb-prod)\.example\.com$/ }),
      schema.validator('max_length', { max: 255 })
    ]),
    port: schema.number([
      schema.validator('range', { max: 65535, min: 1 })
    ])
  })

  public async validate(ctx: HttpContextContract) {
    const payload = await ctx.validate()
    // Reject localhost/loopback or private addresses
    const privatePrefixes = ['127.', '10.', '192.168.', '172.16.', '172.31.']
    if (privatePrefixes.some((p) => payload.host.startsWith(p))) {
      throw new Error('Invalid database host: private addresses not allowed')
    }
    return payload
  }
}

3. Use parameterized queries and avoid dynamic SQL construction

Even with a validated host, never build SQL strings from user data. Use AdonisJS query builder or Lucid ORM with bound parameters to prevent injection at the query layer, which complements SSRF prevention by ensuring the payload cannot alter connection intent.

// Example using Lucid ORM with validated connection
import User from 'App/Models/User'

export async function safeLookup(ctx) {
  const { userId } = ctx.request.qs()
  // Use parameterized find/query; do not embed userId in host/port
  const user = await User.query().where('id', userId).firstOrFail()
  return user
}

4. Restrict outbound connectivity for the CockroachDB process

From an infrastructure perspective, ensure the AdonisJS application’s runtime environment (containers, VMs) restricts egress to known CockroachDB endpoints only. This reduces the impact of a potential SSRF by preventing connections to unexpected internal services such as http://localhost:8080 (SQL UI) or metadata services.

5. Disable unused administrative routes in CockroachDB configuration

In production deployments, limit the HTTP endpoints exposed by CockroachDB. If your application does not need the SQL UI or debug endpoints, configure CockroachDB to bind only to the necessary RPC and SQL ports, and firewall the HTTP UI port (default :8080) from the AdonisJS host.