HIGH api key exposureadonisjsmssql

Api Key Exposure in Adonisjs with Mssql

Scan for api key exposure in adonisjs

Api Key Exposure in Adonisjs with Mssql — how this specific combination creates or exposes the vulnerability

When AdonisJS applications connect to Microsoft SQL Server via mssql, improper handling of connection credentials and query construction can lead to API key exposure. The mssql package commonly reads configuration from environment variables or config files. If an attacker can read environment variables (for example, via a log injection or server-side template rendering bug), raw connection strings containing embedded API keys or secrets may be exposed.

Additionally, AdonisJS route handlers that build dynamic queries by concatenating user input into SQL strings can inadvertently expose API keys when error messages or debug output reveal query text or schema details. For instance, constructing a WHERE clause by directly interpolating request parameters into a T-SQL string can lead to SQL injection, which often results in verbose errors that expose internal connection details, including API keys used for external service authentication stored in columns or configuration.

Another vector specific to the mssql pool in AdonisJS is misconfigured connection pooling or shared pool references across requests. If API keys are embedded in the connection config object and that object is reused or logged improperly, keys can leak through application logs or error traces. Since AdonisJS typically loads config once at startup, any exposure of that config at runtime can expose the API keys to anyone who can trigger or view logs, debug endpoints, or server-side error pages.

Consider an AdonisJS route that builds a T-SQL query by concatenating a user-supplied identifier to select a row containing an API key column:

const { request } = use('request')
const userId = request.param('id')
const query = "SELECT api_key FROM services WHERE user_id = " + userId
const result = await MsSql.query(query)

If an attacker passes id=1; SELECT TOP 1 api_key FROM services--, the resulting query returns an API key, and if error handling exposes the full query or result set, the key is effectively leaked. The mssql driver will execute the injected statement, and any returned sensitive column values become exposed.

Environment-based exposure is also common. An AdonisJS config file might define:

// config/database.js
module.exports = {
  connection: {
    server: Env.get('DB_SERVER'),
    user: Env.get('DB_USER'),
    password: Env.get('DB_PASSWORD'),
    options: {
      encrypt: true,
      trustServerCertificate: false
    },
    // API key for a third-party service stored in connection metadata
    apiKey: Env.get('EXTERNAL_API_KEY')
  }
}
module.exports = { ...connection, user: connection.user + ':' + connection.apiKey }

If the application logs the connection string or a developer accidentally exposes the config via a debug route, the API key is exposed. The mssql library does not inherently treat apiKey as sensitive, so developers must ensure such values are never serialized into logs, responses, or client-side code.

Mssql-Specific Remediation in Adonisjs — concrete code fixes

To prevent API key exposure when using mssql in AdonisJS, adopt parameterized queries, strict config management, and output sanitization. Never build T-SQL by concatenating strings, and avoid exposing configuration objects that contain sensitive values.

Use parameterized queries to prevent SQL injection and avoid exposing API keys through error messages. Instead of embedding values directly, use bound parameters:

const userId = request.param('id')
const result = await MsSql.query('SELECT api_key FROM services WHERE user_id = @userId', {
  userId: { value: userId, type: 'Int' }
})

Isolate API keys from database configuration. Do not store service API keys in the same object used for database authentication. Use environment variables and a dedicated configuration module that does not concatenate keys into connection strings:

// config/services.js
module.exports = {
  externalApi: {
    key: Env.get('EXTERNAL_API_KEY'),
    endpoint: Env.get('EXTERNAL_API_ENDPOINT')
  }
}
// Use directly without merging into database config
const apiKey = services.externalApi.key

Sanitize outputs and handle errors safely. Ensure error handlers do not return raw query text or configuration details. Log only non-sensitive metadata, and scrub any response that might include API key values:

try {
  const result = await MsSql.query('SELECT id, name FROM services WHERE user_id = @userId', {
    userId: { value: request.param('id'), type: 'Int' }
  })
  return result.recordset
} catch (error) {
  // Log error code only, never the query or bindings in plain text
  Logger.error('mssql_query_failed', { code: error.code })
  throw ApplicationException.invoke('unable to load services')

Use connection pooling securely. Ensure the mssql pool is configured with minimal privileges and that any external API keys are not embedded in pool-level metadata. Rotate keys regularly and avoid sharing the same key across multiple services or environments.

RiskBad Practice ExampleSecure Alternative
SQL InjectionQuery built via string concatenationParameterized queries with bound values
Config ExposureAPI key concatenated into connection user stringSeparate service config, no key merging
Log LeakageLogging full query with keysLog error codes only, scrub outputs
Scan for api key exposure in adonisjs Free API security scan

Frequently Asked Questions

How can I verify that my AdonisJS + mssql setup does not leak API keys in error responses?
Test by sending malformed requests that trigger errors and inspect the returned messages. Ensure no raw queries, stack traces, or configuration objects containing API keys are present. Use parameterized queries and structured error handling that returns generic messages.
Does middleBrick detect API key exposure in AdonisJS with Mssql configurations?
middleBrick scans unauthenticated attack surfaces and can identify risky patterns such as exposed configuration endpoints or endpoints that reflect API keys in responses. It provides findings with severity and remediation guidance mapped to frameworks like OWASP API Top 10.

Related Pages

Api Key Exposure in AdonisjsAPI key exposure in Adonisjs applications: detection and remediation for hardcoded keys, fallback values, and logging vuApi Key Exposure in MssqlAPI key exposure in MSSQL environments creates critical vulnerabilities through hardcoded credentials, SQL injection, anApi Key Exposure in Adonisjs on AwsLearn how AWS key exposure occurs in AdonisJS, and apply concrete code fixes to protect credentials in API responses.Api Key Exposure in Adonisjs on FirebaseLearn how API key exposure occurs with Firebase in AdonisJS and apply concrete code fixes to secure credentials and confHipaa: Api Key Exposure in AdonisjsExplore HIPAA risks when API keys are exposed in AdonisJS. Learn secure patterns for storage, logging, and transmission,Gdpr: Api Key Exposure in AdonisjsGDPR and API key exposure in AdonisJS: risks and remediation with code examples and logging best practicesIso 27001: Api Key Exposure in AdonisjsExplore ISO 27001 and Adonisjs API key exposure: risks, real code examples, and remediation steps to protect secrets andApi Key Exposure in Adonisjs with Jwt TokensUnderstand how embedding API keys in JWT tokens in AdonisJS creates exposure and apply concrete code fixes to keep keys Cis: Api Key Exposure in AdonisjsCIS risks and remediation for API key exposure in AdonisJS: practical code guidance and how middleBrick detects issues.Api Key Exposure in Adonisjs with Basic AuthExplore how Basic Auth in AdonisJS can expose API keys, with concrete remediation code examples and AdonisJS security beApi Key Exposure in Adonisjs with Api KeysUnderstand and remediate API key exposure in AdonisJS, with practical code fixes and how middleBrick detects these issueApi Key Exposure in Adonisjs with Mutual TlsExplore how API key exposure can occur alongside Mutual TLS in AdonisJS, with practical remediation code examples to pre