Command Injection in Feathersjs with Cockroachdb

Command Injection occurs when an attacker can inject and execute arbitrary system commands through an application. In a Feathersjs application using Cockroachdb, the risk typically arises not from Cockroachdb itself (which is a SQL database), but from unsafe interactions where untrusted input is passed to shell commands or underlying system calls, often while configuring database clients or spawning subprocesses.

Feathersjs is a framework for building REST and real-time APIs. When developers extend services with custom logic or hooks, they may inadvertently use Node.js functions like exec, spawn, or child_process to interact with the operating system. If user-controlled data — such as query parameters, request bodies, or headers — is concatenated into these commands without proper validation or escaping, an attacker can manipulate the command string to execute arbitrary code on the host.

Cockroachdb comes into the picture in two realistic scenarios:

• During deployment or migration scripts, a Feathersjs service might invoke shell commands to run cockroach CLI utilities (for instance, to create databases, manage users, or execute SQL files). If these commands incorporate inputs like database names or table names from the request, an attacker can inject additional shell commands using shell metacharacters (;, &&, ||, &, backticks, or $()).
• Misconfigured service hooks may log or inspect database metadata by calling Cockroachdb-specific diagnostic commands via Node.js child processes. If these values are derived from request inputs, the command string becomes controllable.

For example, consider a custom Feathersjs hook that accepts a database parameter from the query string and uses it to run a Cockroachdb SQL file:

const { exec } = require('child_process');
app.service('db-tools').hooks({
  before: {
    create: [async context => {
      const dbName = context.params.query.database;
      exec(`cockroach sql --execute="RESTORE DATABASE ${dbName} FROM 'backup'"`, (error, stdout, stderr) => {
        context.result = { stdout, stderr };
      });
      return context;
    }]
  }
});

An attacker sending database=mydb; rm -rf / could cause the system to execute an unintended command. This is a classic command injection vector enabled by concatenating untrusted input into a shell command. The Feathersjs framework does not introduce this flaw by itself, but its flexibility in allowing custom hooks and services can expose such patterns if security best practices are overlooked.

The LLM/AI Security checks in middleBrick specifically test for system prompt leakage and active prompt injection, but they do not analyze backend code patterns like command injection. Therefore, developers must manually review hooks and services for unsafe subprocess usage, especially when integrating with external tools such as Cockroachdb CLI.

Remediation focuses on avoiding shell command construction with untrusted data and using safe alternatives for database interactions. The preferred approach is to use Cockroachdb’s native Node.js driver rather than invoking shell commands. This eliminates the command injection surface entirely.

1. Use the Cockroachdb Node.js driver safely

Instead of executing shell commands, connect directly using the official driver and parameterized queries. This is both safer and more efficient.

const postgres = require('postgres');
// Using the native CockroachDB-compatible driver
const connectionString = 'postgresql://user:password@localhost:26257/mydb?sslmode=require';
const client = postgres(connectionString);

async function getTableData(tableName) {
  // tableName is still untrusted; use whitelisting or strict validation
  const allowedTables = ['users', 'orders', 'products'];
  if (!allowedTables.includes(tableName)) {
    throw new Error('Invalid table name');
  }
  const query = `SELECT * FROM ${tableName}`; // Still using template because table name cannot be parameterized in SQL
  const result = await client.query(query);
  return result;
}

2. Validate and sanitize all inputs used in system commands

If shell commands are unavoidable (for example, during migrations), strictly validate and sanitize inputs. Use an allowlist and avoid direct concatenation.

const { execFile } = require('child_process');
app.service('db-tools').hooks({
  before: {
    create: [async context => {
      const dbName = context.params.query.database;
      const allowedDatabases = ['mydb', 'analytics', 'logs'];
      if (!allowedDatabases.includes(dbName)) {
        throw new Error('Invalid database name');
      }
      // Use execFile with separate arguments to avoid shell injection
      execFile('cockroach', ['sql', '--execute', `RESTORE DATABASE ${dbName} FROM 'backup'`], (error, stdout, stderr) => {
        if (error) {
          context.error = error;
          return;
        }
        context.result = { stdout, stderr };
      });
      return context;
    }]
  }
});

3. Avoid shell metacharacters entirely

Never pass raw user input to shell commands. If you must use shell features, escape metacharacters rigorously or use built-in APIs that do not invoke a shell. For Feathersjs services that interact with Cockroachdb, rely on the driver’s query methods rather than custom scripts.

// Unsafe: vulnerable to command injection
// exec(`cockroach node status --host=${userInputHost}`);

// Safer: use the driver
const result = await client.query('SHOW DATABASES');

By combining input validation, use of native drivers, and avoiding shell command construction, the risk of command injection in a Feathersjs application using Cockroachdb is significantly reduced.