Xpath Injection in Feathersjs with Cockroachdb
Xpath Injection in Feathersjs with Cockroachdb — how this specific combination creates or exposes the vulnerability
XPath Injection becomes relevant in a Feathersjs application using CockroachDB when user-controlled input is used to construct XPath expressions that are executed against an XML or JSON payload stored in the database. Feathersjs is a framework that encourages a service-oriented architecture where each service exposes CRUD-like operations. If a service accepts query parameters such as $where, custom hooks, or dynamic filter objects and directly interpolates these values into an XPath expression passed to CockroachDB (for example, through an XML column or an extension that supports XPath), the application may be susceptible to injection.
Consider a Feathersjs service that retrieves user preferences stored as XML in a CockroachDB column. A developer might write a custom hook that builds an XPath string from a request query parameter without sanitization:
<?xml version="1.0" encoding="UTF-8"?> <preferences> <theme>dark</theme> <language>en</language> </preferences>
If the XPath is constructed like this in JavaScript:
const xpath = "/preferences/theme[text()='" + userInput + "']";
An attacker could provide ' or 1=1 or ' as userInput, resulting in:
/preferences/theme[text()='' or 1=1 or '']
This would always match, potentially returning unintended data. CockroachDB, when used with XML functions or via an integration layer that supports XPath, will evaluate the expression as provided. Because Feathersjs does not inherently sanitize inputs used in such expressions, the developer must explicitly validate and escape user input to prevent XPath Injection. This specific combination highlights risk when business logic relies on dynamic XPath built from external sources.
Additionally, if the Feathersjs application exposes an unauthenticated endpoint that accepts an XPath-like query parameter to filter results, middleBrick’s LLM/AI Security and Input Validation checks can detect whether the endpoint allows injection vectors. Findings from such scans map to the OWASP API Top 10 A03:2021 — Injection, and may also align with PCI-DSS and SOC2 controls around input validation.
Cockroachdb-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on avoiding string concatenation for XPath construction and using parameterized approaches or strict allow-lists. Since CockroachDB does not provide native XPath parameterization in the same way SQL does, the safest method is to avoid dynamic XPath where possible and instead use structured queries or validate input against a strict pattern.
1. Use allow-listed values
Restrict input to known-safe values. For example, if the theme can only be dark or light, enforce this in the Feathersjs hook:
app.service('preferences').hooks({
before: {
get: [context => {
const allowedThemes = ['dark', 'light'];
if (context.params.query && context.params.query.theme && !allowedThemes.includes(context.params.query.theme)) {
throw new Error('Invalid theme');
}
return context;
}]
}
});
2. Escape user input if XPath is necessary
If you must construct XPath dynamically, escape single quotes and validate input length and character set. For text nodes, replace single quotes with two single quotes in XPath string literals:
function escapeXPathString(value) {
if (typeof value !== 'string') return value;
// Replace single quote with two single quotes for XPath string literal
return value.replace(/'/g, "''");
}
const safeInput = escapeXPathString(userInput);
const xpath = `/preferences/theme[text()='${safeInput}']`;
3. Use alternative filtering in Feathersjs
Instead of XPath, rely on Feathersjs query parameters and service-side filtering. Store data in relational-friendly formats and query with standard Feathersjs filters:
// In a Feathersjs service, use $limit and $skip, and custom filters
app.service('preferences').find({
query: {
theme: 'dark',
$select: ['theme', 'language']
}
}).then(result => {
console.log(result);
});
4. Example CockroachDB XML handling with safe XPath
If you store XML and must use XPath, ensure the XPath is built from non-user sources or use a strict allow-list. Here is a CockroachDB SQL example that demonstrates extracting a value safely after validating the input in the application layer:
-- Assume validated_theme is passed from the application after allow-list check
SELECT xpath('/preferences/theme[text()=$1]', preferences_column, ARRAY[validated_theme])
FROM user_preferences
WHERE user_id = $2;
In your Feathersjs service, you would call this via a custom hook or adapter only after validating validated_theme against an allow-list. This ensures that even if the database supports XPath, the input never reaches the query as raw user data.
middleBrick’s CLI can be used to verify that endpoints using such dynamic filtering do not expose injection risks: middlebrick scan <url>. The resulting report will highlight input validation weaknesses and provide remediation guidance consistent with OWASP API Top 10.
Frequently Asked Questions
How can I test if my Feathersjs endpoint with CockroachDB is vulnerable to XPath Injection?
' or 1=1 or ' in query parameters that influence XPath construction. Observe whether the response returns unexpected data or errors that indicate the expression was altered. Use middleBrick’s scan to automatically detect input validation issues.