HIGH container escaperestifycockroachdb

Container Escape in Restify with Cockroachdb

Scan for container escape in restify

Container Escape in Restify with Cockroachdb — how this specific combination creates or exposes the vulnerability

A container escape in a Restify service that exposes a Cockroachdb endpoint typically arises when an API endpoint inadvertently allows an attacker to execute commands or access the underlying container filesystem through the database interface or through unsafe request handling. Restify is a Node.js framework, and when it hosts endpoints that interact with Cockroachdb, misconfigurations can expose the attack surface.

Consider an endpoint that forwards raw query parameters directly to Cockroachdb without input validation. If an attacker can inject commands or manipulate the query structure, they may exploit command substitution or unsafe shell interactions to break out of the application’s runtime context. For example, if the application constructs a Cockroachdb SQL string using concatenation with user input, an attacker might supply input like ' OR 1=1; -- to alter query logic, or in more extreme cases, attempt to invoke OS-level commands through compromised database functions or client utilities if the container runs with elevated privileges.

The container environment amplifies the risk. If the Restify container shares the host PID namespace or has access to the Docker socket, an attacker who achieves code execution via the API could attempt to read sensitive host files or interact with other containers. Cockroachdb, when exposed without proper network segmentation, may allow an attacker to leverage database credentials or configuration files mounted as volumes inside the container, leading to lateral movement or persistence.

In a black-box scan using middleBrick, such issues are surfaced through checks like Input Validation, Property Authorization, and Unsafe Consumption. The scanner tests whether unauthenticated requests can trigger unexpected behavior — for instance, by sending malformed queries or manipulating headers to probe for path traversal or command injection vectors. Because middleBrick performs unauthenticated testing, it can identify endpoints that erroneously trust client-supplied data when constructing Cockroachdb operations.

An example of a vulnerable Restify route is one that builds a Cockroachdb query from URL parameters without sanitization:

server.get('/users/:tenantId', (req, res) => {
  const tenantId = req.params.tenantId;
  const query = `SELECT * FROM users WHERE tenant_id = ${tenantId}`;
  pool.query(query, (err, result) => {
    if (err) return res.send(500, { error: err.message });
    res.send(200, result.rows);
  });
});

If tenantId is not strictly validated, an attacker could supply a value like 1; DROP TABLE users; --, leading to unintended operations. In a containerized deployment, this could escalate to broader compromise if the database process runs with high privileges or if the container has access to sensitive volumes.

Cockroachdb-Specific Remediation in Restify — concrete code fixes

Remediation focuses on strict input validation, parameterized queries, and runtime hardening. Never concatenate user input into SQL strings. Instead, use prepared statements or query builders that enforce type safety. For Cockroachdb with Node.js, the pg client supports parameterized queries, which ensure that user input is treated strictly as data.

Below is a secure Restify route example that uses parameterized queries with Cockroachdb:

const restify = require('restify');
const { Pool } = require('pg');

const server = restify.createServer();
const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
});

server.get('/users/:tenantId', async (req, res, next) => {
  const tenantId = req.params.tenantId;

  // Validate tenantId is a positive integer
  if (!/^\d+$/.test(tenantId)) {
    return res.send(400, { error: 'Invalid tenant ID' });
  }

  try {
    const result = await pool.query(
      'SELECT id, name, email FROM users WHERE tenant_id = $1',
      [tenantId]
    );
    res.send(200, result.rows);
  } catch (err) {
    res.send(500, { error: 'Database error' });
  }
  return next();
});

server.listen(8080, () => {
  console.log('Server listening on port 8080');
});

This approach eliminates SQL injection risks by using placeholders ($1) and passing values separately. Additionally, enforce least privilege for the Cockroachdb user your application connects with — grant only SELECT, INSERT, UPDATE, DELETE as needed, and avoid using a superuser account in production.

Further hardening steps include:

  • Restrict container capabilities: do not run the Restify process as root, and drop unnecessary Linux capabilities.
  • Use network policies to isolate the Cockroachdb port, allowing connections only from the Restify container.
  • Mount configuration files as read-only volumes to prevent tampering with credentials.
  • Enable Cockroachdb’s TLS encryption for client connections and use strong authentication mechanisms.

middleBrick can validate these defenses by scanning the API endpoints and checking for insecure practices such as missing input validation or excessive permissions. Using the CLI (middlebrick scan <url>) or the GitHub Action, teams can integrate these checks into CI/CD pipelines to catch regressions before deployment.

Scan for container escape in restify Free API security scan

Frequently Asked Questions

How can I test my Restify endpoints for container escape risks without a full scan?
Send parameterized requests that include shell metacharacters (e.g., ;, &, |) in URL parameters and observe whether the server executes unexpected commands or returns stack traces. Combine this with a review of container configurations, such as mounted volumes and process user IDs.
Does middleBrick detect container escape risks specific to Cockroachdb in Restify APIs?
middleBrick identifies related issues through its Input Validation, Property Authorization, and Unsafe Consumption checks. While it does not test container internals, it flags unsafe API behaviors that could lead to broader compromise when interacting with Cockroachdb.

Related Pages

Container Escape in RestifyLearn how container escape can arise in Restify APIs, how middleBrick detects unsafe patterns, and how to fix them with Container Escape in CockroachdbContainer Escape in CockroachdbContainer Escape in Restify on AwsUnderstand container escape risks in Restify on AWS, with AWS-specific remediation and secure code examples.Container Escape in Restify on AzureUnderstand container escape risks in Restify on Azure and apply concrete code fixes like non-root users, safe path handlOwasp Api Top 10: Container Escape in RestifyExplore how OWASP API Top 10 SSRF enables container escape via Restify APIs and apply concrete Restify fixes like host aHipaa: Container Escape in RestifyExplore HIPAA risks with container escape in Restify APIs. Learn remediation patterns and secure coding examples to reduGdpr: Container Escape in RestifyExplore GDPR risks in container escape via Restify APIs. Learn SSRF and path traversal fixes with concrete Restify code Nist: Container Escape in RestifyExplore how NIST guidelines apply to Restify in containers, with code examples and remediation steps to reduce containerContainer Escape in Restify with Mutual TlsContainer escape in Restify with mTLS: understand the interaction between runtime isolation and TLS auth, and apply striContainer Escape in Restify with Api KeysUnderstand container escape risks in Restify when using API keys, and apply concrete code fixes to limit scope and preveContainer Escape in Restify with Bearer TokensExplore container escape risks with Bearer Tokens in Restify, and apply concrete code fixes to secure token validation aContainer Escape in Restify with Hmac SignaturesExplore container escape risks in Restify when Hmac Signatures are misused. Learn concrete remediation and canonical Hma