Crlf Injection in Fastapi with Cockroachdb
Crlf Injection in Fastapi with Cockroachdb — how this specific combination creates or exposes the vulnerability
Crlf Injection occurs when an attacker can inject a CRLF sequence (\r\n) into a header or log entry, causing header splitting or log injection. In a Fastapi application that uses Cockroachdb, this typically arises when user-controlled input is reflected into HTTP response headers or server-side logs without proper sanitization. Fastapi does not automatically sanitize inputs used in headers, and Cockroachdb drivers often surface raw query values in logs or error messages, creating a path for injection.
Consider a Fastapi endpoint that accepts a user_id parameter and queries Cockroachdb to retrieve profile data. If the endpoint copies a header value (e.g., X-Request-ID) into another header or uses the value in a log statement, an attacker can inject \r\n to append new headers or fake log lines. For example, a crafted request with X-Request-ID: abc\r\nSet-Cookie: malicious=1 can cause the server to emit an additional Set-Cookie header if the application concatenates input into headers without validation. Cockroachdb logs may also include the raw query parameters, so injected sequences can appear in database-side audit logs, complicating traceability and enabling log forging.
The combination of Fastapi’s flexibility in handling headers and Cockroachdb’s detailed logging means injection points can exist in both the application layer and the database interaction layer. Even when the database does not interpret CRLF as a control character, the web layer may misinterpret injected sequences, leading to response splitting or cache poisoning. MiddleBrick’s LLM/AI Security checks and header-related scans can detect whether user input reaches response headers or logs, providing visibility into these classes of weaknesses without requiring credentials or agents.
Cockroachdb-Specific Remediation in Fastapi — concrete code fixes
Remediation focuses on strict input validation, avoiding reflection of untrusted data into headers, and ensuring Cockroachdb interactions do not expose raw user input in logs. Below are concrete code examples for a Fastapi service that safely queries Cockroachdb using asyncpg or an ORM-like layer.
1. Validate and sanitize inputs before using them in headers or logs
Never pass raw user input into headers. If you must include an identifier in logging, sanitize it first.
from fastapi import FastAPI, Header, HTTPException
import re
app = FastAPI()
# Allow only safe characters for identifiers
SAFE_ID_RE = re.compile(r'^[a-zA-Z0-9_-]{1,64}$')
def sanitize_id(value: str) -> str:
if not SAFE_ID_RE.match(value):
raise ValueError('Invalid identifier')
return value
@app.get('/users/{user_id}')
async def get_user(user_id: str, x_request_id: str = Header(None)):
safe_id = sanitize_id(user_id)
safe_request_id = sanitize_id(x_request_id) if x_request_id else 'unknown'
# Use safe_request_id in structured logging, not raw header values
print(f'[request:{safe_request_id}] fetching user={safe_id}')
# Proceed to query Cockroachdb safely
return {'user_id': safe_id}
2. Use parameterized queries with Cockroachdb to avoid injection and reflection
When interacting with Cockroachdb, always use parameterized queries. This prevents SQL injection and avoids accidental inclusion of raw values in logs or error messages that could contain CRLF.
import asyncpg
from fastapi import Depends
async def get_db_pool():
# Assume pool is created elsewhere with secure connection details
return asyncpg.create_pool(user='app', database='db', host='cockroachdb.example.com', password='...')
@app.get('/profiles/{user_id}')
async def get_profile(user_id: str, pool: asyncpg.Pool = Depends(get_db_pool)):
safe_id = sanitize_id(user_id)
async with pool.acquire() as conn:
# Parameterized query ensures safe handling of values
row = await conn.fetchrow('SELECT id, display_name FROM profiles WHERE id = $1', safe_id)
if row is None:
raise HTTPException(status_code=404, detail='Not found')
# Do not echo raw user_id into any header or log field that could be reflected
return {'id': row['id'], 'display_name': row['display_name']}
3. Secure logging and header handling
Ensure logs do not contain raw user input that could include CRLF. Use structured logging with predefined fields, and avoid concatenating headers into other headers. If you must propagate a request identifier, use a sanitized version.
import logging
logger = logging.getLogger('api')
@app.middleware('http')
async def audit_middleware(request, call_next):
# Extract and sanitize any identifiers you need
raw = request.headers.get('X-Trace-Id', 'none')
trace_id = sanitize_id(raw) if raw else 'none'
response = await call_next(request)
# Safe structured log line; no CRLF in trace_id due to sanitize_id
logger.info('response', extra={'trace_id': trace_id, 'status': response.status_code})
return response
4. MiddleBrick integrations for ongoing detection
Use the middleBrick CLI to scan your Fastapi endpoints for header reflection and log injection risks. The scan runs in 5–15 seconds and checks header handling, input validation, and data exposure without requiring credentials. If you integrate middleBrick into CI/CD, you can fail builds when risk scores drop below your chosen threshold, helping prevent regressions.
# Example: scan your Fastapi service from the terminal
middlebrick scan https://api.example.com/openapi.json