Broken Access Control in Restify with Cockroachdb
Broken Access Control in Restify with Cockroachdb — how this specific combination creates or exposes the vulnerability
Broken Access Control occurs when an API does not properly enforce permissions between users and resources. In a Restify service that uses Cockroachdb as the backend data store, the risk is elevated when request-level authorization is missing or inconsistent, and when database queries directly reflect untrusted input without ownership checks.
Consider a typical REST endpoint in Restify that loads a user profile:
server.get('/profiles/:id', async (req, res, next) => {
const { id } = req.params;
const result = await pool.query('SELECT * FROM profiles WHERE id = $1', [id]);
res.send(result.rows[0]);
return next();
});If the endpoint trusts the caller-supplied id and the database holds profiles for many users, an attacker can enumerate or access any profile simply by changing the numeric or UUID path parameter. This is BOLA/IDOR at the API layer, and Cockroachdb does not prevent it because SQL does not automatically apply tenant or user context unless the query explicitly enforces it.
A second common pattern is filtering by a foreign key that is derived from authentication context. If authentication provides a tenant or user identifier, but the query omits that filter, access control is effectively bypassed:
// Missing tenant_id filter — dangerous
const result = await pool.query('SELECT * FROM documents WHERE document_id = $1', [documentId]);In a multi-tenant deployment on Cockroachdb, rows are not isolated by tenant unless the SQL includes tenant_id. An attacker who knows or guesses a document_id can read or modify data that belongs to another tenant. This maps to OWASP API Top 10:2023 — A1 broken access control, and can be surfaced by middleBrick scanning as a BOLA/IDOR finding with severity high.
Additionally, mixing unauthenticated or weakly authenticated endpoints with sensitive Cockroachdb operations increases exposure. For example, an endpoint that does not validate a token but still executes privileged SQL can allow unauthenticated data exposure. middleBrick tests such unauthenticated attack surfaces and can detect endpoints that reach Cockroachdb without proper checks, highlighting risks tied to authentication and authorization gaps.
Because Cockroachdb supports complex joins and views, developers might inadvertently expose relationships that should be restricted. Without row-level security emulation in application logic and explicit checks in each handler, the database will return data the caller is not entitled to see, completing the broken access control chain.
Cockroachdb-Specific Remediation in Restify — concrete code fixes
Remediation focuses on ensuring every database query enforces ownership or tenant context derived from authenticated claims, and never trusting path parameters alone.
1) Enforce user ownership in queries. After authenticating a user, include their user ID in the WHERE clause:
server.get('/profiles/:id', async (req, res, next) => {
const userId = req.user.id; // from auth middleware
const { id } = req.params;
const result = await pool.query(
'SELECT * FROM profiles WHERE id = $1 AND user_id = $2',
[id, userId]
);
if (!result.rows.length) {
return res.send(403);
}
res.send(result.rows[0]);
return next();
});2) For multi-tenant apps, always filter by tenant_id derived from the session or API key:
server.get('/documents/:documentId', async (req, res, next) => {
const tenantId = req.tenant.id;
const { documentId } = req.params;
const result = await pool.query(
'SELECT * FROM documents WHERE document_id = $1 AND tenant_id = $2',
[documentId, tenantId]
);
if (!result.rows.length) {
return res.send(403);
}
res.send(result.rows[0]);
return next();
});3) Use parameterized queries consistently to avoid injection, and validate identifiers before using them in SQL. Even with proper filters, malformed IDs can cause errors or information leakage.
server.get('/items/:itemId', async (req, res, next) => {
const itemId = req.params.itemId;
if (!/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/.test(itemId)) {
return res.send(400);
}
const tenantId = req.tenant.id;
const result = await pool.query(
'SELECT * FROM items WHERE id = $1 AND tenant_id = $2',
[itemId, tenantId]
);
res.send(result.rows[0]);
return next();
});4) For broader protection, implement a request-scoped helper that adds tenant and user context to all queries, reducing the chance of accidental omission:
function secureQuery(sqlTemplate, params, req) {
const baseSql = sqlTemplate;
const queryParams = [...params];
if (req.tenant && req.tenant.id) {
// Assumes application schema includes tenant_id column on relevant tables
baseSql += ' AND tenant_id = $' + (queryParams.length + 1);
queryParams.push(req.tenant.id);
}
if (req.user && req.user.id) {
baseSql += ' AND user_id = $' + (queryParams.length + 1);
queryParams.push(req.user.id);
}
return pool.query(baseSql, queryParams);
}These patterns ensure that Cockroachdb queries are bound to the authenticated subject, aligning database access with API-level authorization. middleBrick can validate that such controls are present by scanning the endpoints and checking whether findings related to BOLA/IDOR and privilege escalation are reported with clear remediation steps.
In environments using the middleBrick Pro plan, continuous monitoring can be enabled so that any regression in access control logic triggers alerts. The GitHub Action can fail CI/CD builds if a new endpoint lacks required tenant or user filters, preventing insecure code from reaching production.