Stack Overflow in Actix with Cockroachdb
Stack Overflow in Actix with Cockroachdb — how this specific combination creates or exposes the vulnerability
When building an Actix-web service that uses CockroachDB as the primary datastore, a stack overflow can arise from unbounded recursion in application code combined with the way CockroachDB handles repeated query execution and connection behavior. This combination exposes the attack surface through endpoint handlers that recursively process nested data structures or follow foreign-key chains without depth limits.
Consider an endpoint that traverses a hierarchical organization chart stored in CockroachDB. If the handler recursively queries parent or child nodes based on incoming identifiers without validating depth or applying pagination, an attacker can supply a crafted identifier that creates a deep chain of recursive SQL calls. Because Actix-web processes each recursion on the same or a growing stack frame, the service can exhaust the available stack space, leading to a crash or denial of service.
Another vector involves deserialization of user-supplied payloads that reference related records. For example, if a JSON payload includes a field that triggers a cascading set of CockroachDB queries (e.g., fetching related rows via foreign keys), and the application code does not enforce a maximum join depth or result size, the cumulative work on the server can grow beyond safe limits. This is especially relevant when using CockroachDB’s distributed SQL engine, where repeated execution of complex joins or scans without proper limits can amplify resource usage on the application thread handling the request.
Insecure deserialization patterns in Actix can also contribute. If the handler uses recursive structs with serde and does not impose depth limits during deserialization, an attacker can submit deeply nested JSON that causes the parser to consume excessive stack. The combination of serde’s recursive traversal and CockroachDB queries triggered for each level creates a feedback loop where each deserialization step may issue additional queries, further increasing stack pressure.
Operational factors exacerbate the issue. Without runtime guards, the Actix runtime may spawn work that interacts with CockroachDB in ways that generate repeated or unbounded query execution. Even though CockroachDB manages its own concurrency and memory, the application-side stack remains finite and vulnerable to exhaustion when recursive logic is not carefully constrained.
Cockroachdb-Specific Remediation in Actix — concrete code fixes
Apply input validation and iterative processing to avoid recursive stack growth. Use explicit depth limits and pagination when querying hierarchical data in CockroachDB from Actix handlers.
use actix_web::{web, HttpResponse};
use cockroach_client::CockroachDb;
async fn get_organization_safe(
db: web::Data,
path: web::Path<(i64, usize)>, // (root_id, max_depth)
) -> HttpResponse {
let (root_id, max_depth) = path.into_inner();
if max_depth > 10 {
return HttpResponse::BadRequest().body("max_depth too large");
}
let mut current_depth = 0;
let mut current_ids = vec![root_id];
let mut result = Vec::new();
while current_depth < max_depth && !current_ids.is_empty() {
let rows = db
.query(
"SELECT id, name, parent_id FROM organizations WHERE parent_id = ANY($1)",
&[¤t_ids],
)
.await
.map_err(|e| {
actix_web::error::ErrorInternalServerError(e)
})?;
if rows.is_empty() {
break;
}
let mut next_ids = Vec::new();
for row in rows {
let id: i64 = row.get(0);
let name: String = row.get(1);
result.push((id, name));
next_ids.push(id);
}
current_ids = next_ids;
current_depth += 1;
}
HttpResponse::Ok().json(result)
} Enforce query complexity limits in SQL and avoid deep recursive CTEs. Use iterative application logic instead of recursive SQL constructs that could be exploited to amplify stack usage.
async fn get_organization_iterative_safe(
db: web::Data,
web::Path(root_id): web::Path,
) -> HttpResponse {
// Use a controlled breadth-first approach with a configurable page size
const PAGE_SIZE: i64 = 100;
let mut offset = 0;
let mut all_nodes = Vec::new();
loop {
let rows = db
.query(
"SELECT id, name, parent_id FROM organizations
WHERE parent_id = $1
LIMIT $2 OFFSET $3",
&[&root_id, &PAGE_SIZE, &offset],
)
.await
.map_err(|e| actix_web::error::ErrorInternalServerError(e))?;
if rows.is_empty() {
break;
}
for row in rows {
let id: i64 = row.get(0);
let name: String = row.get(1);
all_nodes.push((id, name));
}
offset += PAGE_SIZE;
// Safety guard: stop after a reasonable number of pages
if offset > 10_000 {
break;
}
}
HttpResponse::Ok().json(all_nodes)
} For deeply nested structures, prefer iterative traversal with explicit stack management in Rust to avoid relying on the call stack. This prevents stack overflow regardless of how deep the logical hierarchy is.
async fn get_organization_iterative_explicit_stack(
db: web::Data,
web::Path(root_id): web::Path,
) -> HttpResponse {
let mut stack = vec![root_id];
let mut visited = std::collections::HashSet::new();
let mut result = Vec::new();
while let Some(current) = stack.pop() {
if visited.contains(¤t) {
continue;
}
visited.insert(current);
let rows = db
.query(
"SELECT id, name, parent_id FROM organizations WHERE id = $1",
&[¤t],
)
.await
.map_err(|e| actix_web::error::ErrorInternalServerError(e))?;
for row in rows {
let id: i64 = row.get(0);
let name: String = row.get(1);
result.push((id, name));
// Push children onto the explicit stack
let child_ids: Vec = db
.query_scalar(
"SELECT id FROM organizations WHERE parent_id = $1",
&[&id],
)
.await
.unwrap_or_default();
for child in child_ids {
if !visited.contains(&child) {
stack.push(child);
}
}
}
}
HttpResponse::Ok().json(result)
}