Container Escape in Restify (Javascript)

Restify is a Node.js framework optimized for building REST APIs, often deployed in containerized environments like Docker. A container escape occurs when an attacker breaks out of the isolated container runtime to gain unauthorized access to the host system or other containers. In Restify applications, this risk is typically not due to the framework itself but arises from misconfigurations or vulnerable dependencies that expose the host filesystem, privileged sockets, or unsafe process execution.

One common vector is the misuse of child processes. If a Restify endpoint accepts user input and passes it directly to child_process.exec() or spawn() without proper sanitization, an attacker can inject shell commands. For example, an endpoint that takes a filename parameter and uses it in a grep command could be exploited to execute arbitrary code. If the container runs with privileged capabilities (e.g., CAP_SYS_ADMIN) or mounts the host’s /var/run/docker.sock, the attacker might use this to escape the container by interacting with the Docker daemon.

Another risk involves static file serving. Restify’s serveStatic plugin, if misconfigured to serve files from a root directory without proper path validation, could allow directory traversal. An attacker might read sensitive host files like /etc/passwd or /proc/self/environ, which could reveal environment variables, including cloud credentials or SSH keys, facilitating further escalation.

Additionally, if the Restify app uses outdated or vulnerable npm packages (e.g., a dependency with a known prototype pollution or command injection flaw), and the container runs as root, the attacker might exploit the vulnerability to execute code with host-level privileges. middleBrick detects such risks by identifying exposed endpoints that accept unsanitized input, checking for dangerous function usage in runtime behavior, and flagging missing input validation — all without requiring agents or configuration.

To mitigate container escape risks in Restify applications, focus on input validation, principle of least privilege, and secure dependency management. Below are specific, actionable fixes for common Javascript vulnerabilities in Restify.

1. Prevent command injection in child processes: Never pass user input directly to exec() or spawn(). Use execFile() with a fixed command and pass arguments as an array.

const { execFile } = require('child_process');
const restify = require('restify');
const server = restify.createServer();

server.get('/log/:id', (req, res, next) => {
  const logId = req.params.id;
  // Validate input: only allow alphanumeric
  if (!/^[a-zA-Z0-9]+$/.test(logId)) {
    return res.send(400, { error: 'Invalid log ID' });
  }
  // Safe execution: fixed command, args as array
  execFile('cat', ['/var/log/app/' + logId + '.log'], (err, stdout) => {
    if (err) return res.send(500);
    res.send(stdout);
    next();
  });
});

server.listen(3000);

2. Secure static file serving: Use serveStatic with a restricted directory and enable path validation to prevent directory traversal.

const restify = require('restify');
const server = restify.createServer();

// Serve only from ./public, reject '..' and absolute paths
server.get(/^/public/(.*)/, restify.plugins.serveStatic({
  directory: './public',
  maxAge: 0,
  etag: false
}));

server.listen(3000);

3. Run containers with minimal privileges: Ensure your Dockerfile runs the app as a non-root user and avoids mounting dangerous sockets.

# Dockerfile
FROM node:18-alpine
WORKDIR /app
COPY package*.json .
RUN npm ci --only=production
COPY . .
RUN chown -R node:node /app
USER node
EXPOSE 3000
CMD ["node", "server.js"]

These practices reduce the attack surface. middleBrick helps by scanning for endpoints that exhibit risky patterns — such as unsanitized input flowing to dangerous functions — and provides remediation guidance tailored to the findings, enabling developers to fix issues before deployment.