Cache Poisoning in Koa with Cockroachdb

Cache poisoning in a Koa application that uses CockroachDB typically occurs when an attacker manipulates data that is subsequently cached and served to other users or future requests. Because CockroachDB is a distributed SQL database commonly used for strong consistency and horizontal scalability, developers may assume that stored data is inherently safe; however, the application layer remains responsible for validating and sanitizing inputs before caching decisions are made.

In a typical Koa app, middleware may query CockroachDB based on request parameters, store the result in an in-memory or external cache, and return the cached result for similar requests. If the query parameters are not properly validated, an attacker can inject crafted values that cause the application to cache malicious or incorrect responses. For example, an endpoint like /users/:id might directly concatenate the :id parameter into a SQL query without normalization, and if the result is cached with a key derived from the raw parameter, poisoned data persists across requests.

Because CockroachDB supports complex queries and distributed transactions, developers sometimes build caching logic that relies on query results without verifying that the inputs align with expected formats or authorization contexts. This becomes critical in scenarios involving tenant isolation or user-specific data: if a request for one tenant’s data is cached under a key that does not include tenant context, subsequent requests from other tenants might receive the poisoned cache entry, exposing information or enabling privilege escalation.

Additionally, Koa applications that use JSON-based APIs are vulnerable when response shapes are cached without normalizing field values. An attacker who can influence a field such as a user-supplied label or URL path segment might cause the cached response to contain misleading or malicious content. The distributed nature of CockroachDB means that once a poisoned entry is written to one node and propagated, it can be served to many clients until the cache entry expires or is invalidated, making detection more difficult without robust logging and monitoring.

To identify this pattern using middleBrick, you would submit the API endpoint URL for an unauthenticated scan. The tool checks input validation, rate limiting, and data exposure controls while leveraging OpenAPI/Swagger specs (including $ref resolution) to compare runtime behavior against declared models. This helps surface endpoints where raw user input flows into cache keys or cached payloads without sufficient sanitization or tenant-aware segregation.

Remediation focuses on ensuring that all inputs used to construct SQL queries and cache keys are strictly validated, parameterized, and scoped by tenant or user context. Below are concrete patterns for a Koa app using CockroachDB via the pg client, which is compatible with CockroachDB’s PostgreSQL wire protocol.

1. Parameterized queries and input validation

Always use parameterized statements instead of string concatenation. Validate identifiers and IDs against a strict allowlist or regex before using them in SQL.

const { Client } = require('pg');
const client = new Client({ connectionString: process.env.DATABASE_URL });

async function getUserById(ctx) {
  const id = ctx.params.id;
  // Validate ID format before querying
  if (!/^[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}$/i.test(id)) {
    ctx.status = 400;
    ctx.body = { error: 'Invalid user ID format' };
    return;
  }
  const res = await client.query('SELECT id, name, email FROM users WHERE id = $1', [id]);
  if (res.rows.length === 0) {
    ctx.status = 404;
    return;
  }
  ctx.body = res.rows[0];
}

2. Cache key normalization and tenant scoping

Include tenant ID and validated parameters in cache keys. Avoid caching responses that contain user-specific data without tenant context.

const getCacheKey = (tenantId, userId) => `tenant:${tenantId}:user:${userId}`;

async function getCachedUser(ctx) {
  const tenantId = ctx.state.tenant.id; // from authentication middleware
  const userId = ctx.params.id;
  const key = getCacheKey(tenantId, userId);
  const cached = await cache.get(key);
  if (cached) {
    ctx.body = JSON.parse(cached);
    return;
  }
  const res = await client.query('SELECT id, name, email FROM users WHERE id = $1 AND tenant_id = $2', [userId, tenantId]);
  if (res.rows.length === 0) {
    ctx.status = 404;
    return;
  }
  await cache.set(key, JSON.stringify(res.rows[0]), { ttl: 300 });
  ctx.body = res.rows[0];
}

3. Response normalization and avoiding injection into cache

Strip or transform fields that could be influenced by an attacker before caching. Do not cache raw responses that include dynamic user-controlled strings without normalization.

function normalizeUserForCache(user) {
  return {
    id: user.id,
    name: user.name.trim().substring(0, 100),
    email: user.email.toLowerCase(),
    // Remove any fields not intended for cache
    role: user.role
  };
}

async function getSafeCachedUser(ctx) {
  const tenantId = ctx.state.tenant.id;
  const userId = ctx.params.id;
  const key = getCacheKey(tenantId, userId);
  const cached = await cache.get(key);
  if (cached) {
    ctx.body = JSON.parse(cached);
    return;
  }
  const res = await client.query('SELECT id, name, email, role FROM users WHERE id = $1 AND tenant_id = $2', [userId, tenantId]);
  if (res.rows.length === 0) {
    ctx.status = 404;
    return;
  }
  const safeUser = normalizeUserForCache(res.rows[0]);
  await cache.set(key, JSON.stringify(safeUser), { ttl: 300 });
  ctx.body = safeUser;
}

These patterns ensure that inputs are treated as data rather than executable logic, cache entries are scoped to prevent cross-tenant leakage, and responses are normalized before being stored. Using middleBrick’s CLI (middlebrick scan <url>) or GitHub Action can help detect endpoints where cache poisoning risks exist by correlating input validation, data exposure, and OpenAPI spec mismatches.