Container Escape in Actix with Basic Auth

A container escape in an Actix web service that uses HTTP Basic Authentication occurs when a vulnerability in authentication, routing, or input handling allows an attacker to break out of the containerized environment and interact with the host or other containers. The combination of Basic Auth and Actix can expose risks if authentication is applied inconsistently, if routes are overly permissive, or if sensitive host paths are inadvertently exposed.

Actix is a Rust web framework that relies on explicit route definitions and middleware for request handling. When Basic Auth is implemented without tight scope control, an attacker may probe for routes that skip authentication or that expose administrative endpoints. If the container has access to host sockets or sensitive files (e.g., /proc, Docker socket at /var/run/docker.sock), an authenticated request that traverses paths like /actix-admin/../../var/run/docker/containers can lead to host interaction. This occurs when path traversal or improper route matching permits access beyond intended boundaries.

Another scenario involves service discovery within a container mesh. If Actix endpoints expose internal hostnames or ports via query parameters or response bodies (for example, returning stack traces with host paths), an authenticated user can map the internal network. Combined with missing network segmentation, this can enable lateral movement to other containers that do not require authentication. The risk is compounded when CORS or referrer policies are misconfigured, allowing cross-origin authenticated sessions that broaden the attack surface beyond the container perimeter.

middleBrick scans such configurations by checking authentication coverage across all discovered routes, flagging endpoints that allow unauthenticated access to sensitive paths. It also tests for path traversal patterns (e.g., ../../../) and excessive data exposure in error responses, which can reveal host filesystem details. These checks help identify misconfigurations where Basic Auth is present but not uniformly enforced, or where container-level access controls are insufficient.

To secure Actix services using HTTP Basic Authentication, enforce authentication on all sensitive routes, avoid exposing host information, and validate input strictly. Below are concrete code examples that demonstrate secure implementation patterns.

1. Enforce Basic Auth on all routes with a shared middleware guard

Use Actix middleware to require authentication for the entire application or for specific scopes. This prevents route-specific omissions that can lead to container escape via forgotten endpoints.

use actix_web::{web, App, HttpResponse, HttpServer, middleware, http::header};
use actix_web::http::StatusCode;
use actix_web::dev::{ServiceRequest, ServiceResponse};
use actix_web::error::ErrorUnauthorized;
use futures_util::future::{ok, Ready};

fn basic_auth_middleware() -> impl Fn(ServiceRequest) -> Ready<Result<ServiceRequest, (StatusCode, String)>> {
    |req: ServiceRequest| {
        let head = req.headers();
        let valid = head.get("authorization")
            .and_then(|v| v.to_str().ok())
            .and_then(|s| {
                if s.starts_with("Basic ") {
                    Some(s)
                } else { None }
            })
            .and_then(|s| {
                let encoded = s.trim_start_matches("Basic ");
                base64::decode(encoded).ok()
            })
            .and_then(|bytes| {
                let cred = String::from_utf8(bytes).ok()?;
                let parts: Vec<&str> = cred.splitn(2, ':').collect();
                if parts.len() == 2 && parts[0] == "admin" && parts[1] == "secret" {
                    Some(())
                } else { None }
            });
        if valid.is_some() {
            ok(req)
        } else {
            futures_util::future::err((StatusCode::UNAUTHORIZED, "Invalid credentials".to_string()))
        }
    }
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .wrap(middleware::DefaultHeaders::new().add((
                header::STRICT_TRANSPORT_SECURITY,
                "max-age=31536000; includeSubDomains"
            )))
            .default_service(web::route().to(|| async { HttpResponse::Unauthorized().finish() }))
    })
    .bind("0.0.0.0:8080")?
    .run()
    .await
}

2. Scope authentication to specific paths and avoid host leakage

Limit Basic Auth to administrative paths and ensure error handlers do not expose host or filesystem details. Use web::scope to apply middleware selectively and sanitize responses.

use actix_web::{web, App, HttpResponse, HttpServer};
use actix_web::http::StatusCode;

async fn admin_handler() -> HttpResponse {
    HttpResponse::Ok().body("Admin panel: safe operation")
}

async fn public_handler() -> HttpResponse {
    HttpResponse::Ok().body("Public endpoint")
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .service(
                web::scope("/admin")
                    .wrap(actix_web::middleware::from_fn(|req, srv| {
                        let head = req.headers();
                        let valid = head.get("authorization")
                            .and_then(|v| v.to_str().ok())
                            .and_then(|s| s.strip_prefix("Basic "))
                            .and_then(|b| {
                                let decoded = base64::decode(b).ok()?;
                                let cred = String::from_utf8(decoded).ok()?;
                                if cred == "admin:secret" { Some(()) } else { None }
                            });
                        if valid.is_some() {
                            srv.call(req)
                        } else {
                            async { Ok(actix_web::dev::ServiceResponse::new(
                                req.into_parts().0,
                                HttpResponse::Unauthorized().finish().into_body(),
                            ))}
                        }
                    }))
                    .route("/", web::get().to(admin_handler))
            )
            .route("/", web::get().to(public_handler))
    })
    .bind("0.0.0.0:8080")?
    .run()
    .await
}

3. Avoid exposing host paths in errors and responses

Configure custom error handlers to prevent stack traces or filesystem details from being returned. This reduces the risk of an authenticated user learning host paths that could aid in container escape.

use actix_web::{App, HttpResponse, HttpServer, error};

async fn fallback() -> HttpResponse {
    HttpResponse::InternalServerError().json(serde_json::json!({
        "error": "Internal server error"
    }))
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    let server = HttpServer::new(|| {
        App::new()
            .default_service(web::route().to(|| async { HttpResponse::NotFound().finish() }))
            .register_error_handler(|err: error::Error| {
                let msg = err.to_string();
                // Avoid including host or path in messages
                if msg.contains("/host") || msg.contains("/proc") {
                    HttpResponse::InternalServerError().json(serde_json::json!({ "error": "Server error" }))
                } else {
                    HttpResponse::InternalServerError().json(serde_json::json!({ "error": "Internal server error" }))
                }
            })
    });
    server.bind("0.0.0.0:8080")?.run().await
}

These patterns ensure that Basic Auth is consistently enforced, host details are not surfaced, and administrative scopes are isolated. Complementary practices include network segmentation between containers and restricting filesystem mounts to read-only where possible.