Command Injection in Rocket with Basic Auth

Command Injection occurs when an attacker can cause a web application to execute arbitrary operating system commands. In the Rocket framework, this risk can emerge when request parameters or headers are passed to a system shell or a low-level process builder without proper validation or escaping. When Basic Authentication is used, the Authorization header is base64-encoded and decoded to a string of the form username:password. If a Rocket handler splits or parses this header and directly incorporates user-controlled data into a command invocation, the injected payload may be executed with the application’s runtime permissions.

For example, consider a handler that uses the decoded Basic Auth credentials to construct a system command for diagnostics or logging. An attacker who controls the username or password can inject shell metacharacters such as &, |, or ;. In Rocket, route parameters and managed state are typically typed and deserialized, so the danger often arises when developers explicitly extract headers or query strings and forward them to an OS process. The combination of permissive input handling and the presence of Basic Auth credentials in the request increases the likelihood that an injected command will be executed in a privileged context, leading to unauthorized data access or further compromise.

middleBrick detects this risk pattern during black-box scanning by submitting requests that include crafted Basic Auth strings containing command metacharacters and inspecting process-level side effects or output leakage. The scanner checks whether the application reflects injected content in responses or triggers unexpected behavior without requiring authentication, highlighting cases where user-controlled data reaches system-level execution paths.

When reviewing your Rocket service, ensure that any use of external commands avoids direct concatenation of request-derived strings. Prefer typed APIs and strict allowlists over shell-based operations. If shell invocation is necessary, rigorously escape arguments and avoid interpolating credentials or other attacker-influenced values.

To mitigate Command Injection in Rocket when using Basic Authentication, keep credentials out of any command construction and validate all inputs. Below are concrete, safe patterns and examples.

1. Avoid building commands from Basic Auth credentials

Do not parse the Authorization header to extract credentials for use in shell commands. Instead, use Rocket’s managed state and typed extractors for configuration that is safe and static.

// Unsafe: using Authorization header values in a command
#[get("/run/")]
fn unsafe_run(cmd: String, auth: Option) -> String {
    if let Some(header) = auth {
        let decoded = decode_basic_auth(&header.0); // "user:pass"
        let parts: Vec<&str> = decoded.split(':').collect();
        let username = parts[0];
        // Dangerous: username used in command
        Command::new("sh")
            .arg("-c")
            .arg(format!("echo logged as {}", username))
            .output()
            .unwrap()
            .to_string_lossy()
            .into_owned()
    } else {
        "Unauthorized".to_string()
    }
}

The above pattern is hazardous because the decoded username can contain shell metacharacters. An attacker sending Authorization: Basic d3Jvbmc7Cg== (which decodes to user;id) can cause unintended command execution.

2. Use typed configuration and strict allowlists

Define allowed commands and arguments statically, and use Rocket’s config or managed state to supply non-user-controlled values.

use rocket::serde::json::Json;
use rocket::State;
use std::process::Command;

struct AppConfig {
    allowed_commands: Vec,
}

#[get("/run")]
fn safe_run(
    cmd: &rocket::http::Query<HashMap<String, String>>,
    config: &State<AppConfig>,
) -> Json<serde_json::Value> {
    let key = cmd.get("action").unwrap_or(&"".to_string());
    if !config.allowed_commands.contains(key) {
        return Json(json!({ "error": "command not allowed" }));
    }

    // Safe: command and arguments are controlled by the developer
    let output = Command::new("hostname")
        .arg("--short")
        .output()
        .expect("failed to execute process");

    let result = String::from_utf8_lossy(&output.stdout).to_string();
    Json(json!({ "result": result }))
}

This approach ensures that user input never reaches the shell. The allowed commands are defined in code or configuration and are not derived from the request. Basic Auth can still be used for access control via Rocket’s fairing or guards, without being concatenated into commands.

3. Use Rust libraries instead of shelling out

Where possible, replace shell invocations with native Rust crates. For example, use users to read account information instead of parsing passwd via sh. This eliminates shell injection entirely.

// Safe: no shell involved
use users::get_current_user;

#[get("/whoami")]
fn whoami() -> Json<serde_json::Value> {
    if let Some(user) = get_current_user() {
        Json(json!({ "user": user.name().to_string_lossy() }))
    } else {
        Json(json!({ "error": "unable to get user" }))
    }
}

By avoiding shell interpretation and validating inputs against strict allowlists, you reduce the attack surface for Command Injection while still leveraging Basic Authentication for access control in Rocket.