HIGH crlf injectionadonisjstypescript

Crlf Injection in Adonisjs (Typescript)

Scan for crlf injection in adonisjs

Crlf Injection in Adonisjs with Typescript

Crlf Injection occurs when an attacker can inject carriage return (CR, \r) and line feed (\n) sequences into an HTTP header or response, causing header injection, response splitting, or cache poisoning. AdonisJS, a Node.js web framework built around HTTP abstractions, can be vulnerable when user-controlled input is reflected into headers or status lines without proper sanitization. In a Typescript-based AdonisJS project, controllers typically handle requests and construct responses using framework helpers like response.header() or by directly setting status codes. If a developer passes unchecked input—such as a query parameter or form field—into these methods, an attacker can supply values like example.com\r\nSet-Cookie: auth=evil, causing the injected header to be appended to the response. Because Typescript compiles to JavaScript and does not inherently validate header values, the vulnerability maps directly to the underlying Node.js HTTP layer. AdonisJS utilities for building redirects or JSON responses often chain methods (e.g., response.redirect()), and if the URL or status is derived from user input, CRLF characters can break header integrity. This can lead to HTTP response splitting (splitting the response into multiple responses) or the injection of arbitrary headers, such as Location or Set-Cookie. The risk is especially pronounced when the framework’s route handlers do not validate or sanitize inputs before they reach header-setting logic. Attack patterns mirror classic CRLF injection techniques, where an attacker manipulates the protocol layer to inject malicious headers or split the response stream. Because AdonisJS often exposes endpoints that return user-influenced data (e.g., redirect URLs or dynamic headers), developers must treat any input flowing into header construction as untrusted. Even when using Typescript’s strong typing, runtime values remain unchecked unless explicitly validated, so the framework does not prevent these injections by default.

Typescript-Specific Remediation in Adonisjs

Remediation in AdonisJS with Typescript centers on strict input validation, output encoding, and avoiding the direct reflection of user input into HTTP headers or status lines. Use framework validation schemas (e.g., schema-based validation with schema from @ioc:AdonisJS/Validator) to enforce allowed formats for inputs that may affect headers or redirects. Never concatenate or interpolate user input into header keys or values; instead, use whitelisting for safe values. For redirects, prefer passing only validated URLs and rely on AdonisJS’s built-in helpers that do not allow header injection. Below are concrete Typescript examples demonstrating secure practices.

Insecure Example

The following code reflects a user-controlled next query parameter into a redirect, enabling CRLF injection:

import { HttpContextContract } from '@ioc:Adonisjs/Core/HttpContext'

export default class AuthController {
  public redirectAfterLogin({ request, response }: HttpContextContract) {
    const nextUrl = request.input('next', '/dashboard')
    // Vulnerable: user input directly used in redirect URL
    return response.redirect(nextUrl)
  }
}

Secure Remediation

Validate and sanitize the input, ensuring it does not contain CRLF characters and conforms to expected patterns:

import { HttpContextContract } from '@ioc:Adonisjs/Core/HttpContext'
import { schema, rules } from '@ioc:Adonisjs/Core/Validator'

const redirectSchema = schema.create({
  next: schema.string.optional({}, [
    rules.url({ trim: true }),
    rules.maxLength(2048),
    // Ensure no CRLF characters are present
    rules.regex(/^[^\r\n]*$/)
  ])
})

export default class AuthController {
  public async redirectAfterLogin({ request, response, validator }: HttpContextContract) {
    const payload = await validator.validate({ schema: redirectSchema })
    const nextUrl = payload.next || '/dashboard'
    // Safe: validated URL without CRLF
    return response.redirect(nextUrl)
  }
}

For header-setting operations, avoid user input entirely or sanitize rigorously:

import { HttpContextContract } from '@ioc:Adonisjs/Core/HttpContext'

export default class HeaderController {
  public setCustomHeader({ request, response }: HttpContextContract) {
    const userValue = request.input('label', 'default')
    // Remove any CR or LF characters
    const sanitized = userValue.replace(/[\r\n]/g, '')
    response.header('X-Custom-Value', sanitized)
    response.send({ status: 'ok' })
  }
}

Additionally, use AdonisJS’s built-in helpers for common operations (e.g., response.unauthorized() for redirects to login) to reduce manual header handling. When integrating with external services or APIs, ensure outbound requests do not propagate unsanitized values into headers, as this can affect both client and server sides.

Scan for crlf injection in adonisjs Free API security scan

Frequently Asked Questions

Can middleBrick detect CRLF injection in AdonisJS APIs?
Yes, middleBrick scans unauthenticated attack surfaces and includes input validation checks that can identify CRLF injection risks in API endpoints, including those built with AdonisJS and Typescript. Findings include severity, remediation guidance, and mapping to frameworks like OWASP API Top 10.
Does the free tier of middleBrick allow scanning AdonisJS endpoints for CRLF vulnerabilities?
Yes, the free tier provides 3 scans per month, which is sufficient to test AdonisJS endpoints for issues such as CRLF injection and to review actionable findings with remediation steps.

Related Pages

Crlf Injection in AdonisjsCrlf injection vulnerabilities in Adonisjs applications explained with specific attack patterns, detection methods, and CWE-1104 in Adonisjs (Typescript)CWE-1104 in AdonisJS with TypeScript: causes and TypeScript-specific remediation with code examples for error handling, CWE-117 in Adonisjs (Typescript)CWE-117 in AdonisJS with TypeScript: causes and TypeScript-specific fixes with code examplesCWE-116 in Adonisjs (Typescript)CWE-116 in AdonisJS with TypeScript: causes, risks, and concrete fixes using escaping, validation, and sanitization.CWE-113 in Adonisjs (Typescript)CWE-113 in AdonisJS with TypeScript: how HTTP response splitting occurs and type-safe fixes to prevent CRLF injection.Hipaa: Crlf Injection in AdonisjsHIPAA, CRLF injection, and Adonisjs: risks, remediation patterns, and secure header handling guidance.Gdpr: Crlf Injection in AdonisjsGDPR, Crlf Injection, and Adonisjs: understand the risk and apply concrete Adonisjs code fixes to prevent response splitIso 27001: Crlf Injection in AdonisjsExplore ISO 27001 controls for Crlf Injection in Adonisjs, including detection and remediation patterns with concrete AdCrlf Injection in Adonisjs with Jwt TokensExplore CRLF Injection in AdonisJS when JWT tokens are used. Learn how header manipulation risks arise and apply concretCis: Crlf Injection in AdonisjsCIS controls and Adonisjs: Crlf Injection risks, remediation patterns, header validation, and secure redirect strategiesCrlf Injection in Adonisjs with Basic AuthCrlf Injection in AdonisJS with Basic Auth: how decoded credentials can enable response splitting and practical fixes wiCrlf Injection in Adonisjs with Api KeysExplore Crlf Injection risks in AdonisJS when using API keys, with code samples and specific remediation steps.