HIGH container escaperestifydynamodb

Container Escape in Restify with Dynamodb

Scan for container escape in restify

Container Escape in Restify with Dynamodb — how this specific combination creates or exposes the vulnerability

A container escape in a Restify service that uses DynamoDB typically arises when the application processes untrusted input and uses it to construct system commands or dynamic SDK parameters that reach the container host. In this stack, an attacker may supply a malicious payload that manipulates how Restify routes requests or how the DynamoDB DocumentClient is invoked, leading to unintended behavior such as probing host paths or spawning processes.

For example, if a route parameter like tableName is directly interpolated into a DynamoDB operation without validation, and that operation is chained with a function that executes shell commands (e.g., via child_process), an attacker can leverage injection to escape the containerized environment. Common patterns include:

  • Command injection through unsanitized input fed to AWS CLI or SDK calls that include shell metacharacters.
  • Path traversal in file reads/writes triggered by DynamoDB attribute values that reference host paths, enabling interaction with sensitive host files.
  • Overly permissive IAM roles assigned to the container allowing the process to execute privileged operations on the host filesystem or runtime.

Because middleBrick tests unauthenticated attack surfaces, it can flag endpoints where DynamoDB inputs indirectly influence process execution or container interaction. The scanner checks for SSRF and unsafe consumption patterns that could enable an attacker to reach the container runtime from outside the intended API boundary.

Dynamodb-Specific Remediation in Restify — concrete code fixes

To reduce the risk of container escape when using DynamoDB in Restify, validate and sanitize all inputs that affect SDK calls or command construction. Use parameterized operations, avoid shell invocation, and enforce strict schema checks.

1. Validate table names and keys before SDK use

Do not trust client-supplied table names. Use an allowlist or strict regex to ensure only expected table names are used.

const validTables = new Set(['users', 'orders', 'products']);
function getTableParam(input) {
  if (!validTables.has(input)) {
    throw new Error('Invalid table name');
  }
  return input;
}

const aws = require('aws-sdk');
const docClient = new aws.DynamoDB.DocumentClient();

app.get('/items/:table', (req, res, next) => {
  try {
    const tableName = getTableParam(req.params.table);
    const params = {
      TableName: tableName,
      Key: { id: req.query.id }
    };
    docClient.get(params, (err, data) => {
      if (err) return next(err);
      res.send(data.Item);
    });
  } catch (err) {
    return next(err);
  }
});

2. Avoid shell execution when interacting with DynamoDB

Never construct shell commands from DynamoDB attribute values. Use the SDK directly and avoid child_process for AWS operations.

const aws = require('aws-sdk');
const { exec } = require('child_process');

// Unsafe: do not do this
// exec(`aws dynamodb get-item --table-name ${userSuppliedTable}`, (err, stdout) => { ... });

// Safe: use SDK with validated input
const docClient = new aws.DynamoDB.DocumentClient();
app.get('/safe-item', (req, res, next) => {
  const params = {
    TableName: 'users',
    Key: { id: req.query.id }
  };
  docClient.get(params, (err, data) => {
    if (err) return next(err);
    res.send(data.Item);
  });
});

3. Enforce least privilege and schema validation

Ensure the container’s IAM role only permits required DynamoDB actions on specific resources. Combine this with runtime input validation and output encoding to prevent data leakage that could aid an escape attempt.

const aws = require('aws-sdk');
const { body, validationResult } = require('express-validator');

app.post('/record', [
  body('partitionKey').isString().isLength({ min: 1, max: 255 }),
  body('sortKey').isString().isLength({ max: 1024 })
], (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).send({ errors: errors.array() });
  }

  const docClient = new aws.DynamoDB.DocumentClient();
  const params = {
    TableName: 'app_records',
    Item: {
      pk: req.body.partitionKey,
      sk: req.body.sortKey,
      data: req.body.data
    }
  };
  docClient.put(params, (err) => {
    if (err) return next(err);
    res.status(204).end();
  });
});
Scan for container escape in restify Free API security scan

Frequently Asked Questions

Can middleBrick detect a container escape risk in a Restify API that uses DynamoDB?
Yes. middleBrick scans unauthenticated attack surfaces and can flag endpoints where DynamoDB inputs influence process execution or container interactions, such as command injection or SSRF patterns that may enable container escape.
Does middleBrick fix container escape or DynamoDB misconfigurations automatically?
No. middleBrick detects and reports findings with remediation guidance. It does not fix, patch, or block issues. Developers should apply input validation, use the SDK safely, and follow least privilege as outlined in the remediation examples.

Related Pages

Container Escape in RestifyLearn how container escape can arise in Restify APIs, how middleBrick detects unsafe patterns, and how to fix them with Container Escape in DynamodbLearn how container escape can lead to unauthorized DynamoDB access, how to detect the risk with middleBrick, and specifContainer Escape in Restify on AwsUnderstand container escape risks in Restify on AWS, with AWS-specific remediation and secure code examples.Container Escape in Restify on AzureUnderstand container escape risks in Restify on Azure and apply concrete code fixes like non-root users, safe path handlOwasp Api Top 10: Container Escape in RestifyExplore how OWASP API Top 10 SSRF enables container escape via Restify APIs and apply concrete Restify fixes like host aHipaa: Container Escape in RestifyExplore HIPAA risks with container escape in Restify APIs. Learn remediation patterns and secure coding examples to reduGdpr: Container Escape in RestifyExplore GDPR risks in container escape via Restify APIs. Learn SSRF and path traversal fixes with concrete Restify code Nist: Container Escape in RestifyExplore how NIST guidelines apply to Restify in containers, with code examples and remediation steps to reduce containerContainer Escape in Restify with Mutual TlsContainer escape in Restify with mTLS: understand the interaction between runtime isolation and TLS auth, and apply striContainer Escape in Restify with Api KeysUnderstand container escape risks in Restify when using API keys, and apply concrete code fixes to limit scope and preveContainer Escape in Restify with Bearer TokensExplore container escape risks with Bearer Tokens in Restify, and apply concrete code fixes to secure token validation aContainer Escape in Restify with Hmac SignaturesExplore container escape risks in Restify when Hmac Signatures are misused. Learn concrete remediation and canonical Hma