Crlf Injection in Fiber with Firestore

Crlf Injection occurs when an attacker can inject CRLF characters (\r\n) into HTTP headers or other reflection points. In a Fiber application that uses Firestore, this risk arises when user-controlled input is placed into response headers or query values that are later reflected without sanitization. For example, if a route accepts a document ID or a redirect target and passes it directly into a header such as Location or a custom header, an attacker can inject newline sequences to split the header and inject additional headers or body content.

Consider a Fiber route that retrieves a Firestore document by an ID provided via a query parameter and sets a custom header with that ID. If the ID contains CRLF sequences, an attacker can inject extra headers. Below is an insecure example:

const { app } = require('express');
const { getFirestore, doc, getDoc } = require('firebase/firestore');
const db = getFirestore();
const app = require('fastify')();

app.get('/doc', async (req, res) => {
  const docId = req.query.id; // user-controlled
  const docRef = doc(db, 'items', docId);
  const snap = await getDoc(docRef);
  if (snap.exists()) {
    res.set('X-Document-ID', docId); // vulnerable: unsanitized reflection
    res.send(snap.data());
  } else {
    res.status(404).send('Not found');
  }
});

If an attacker calls /doc?id=abc%0D%0AX-Custom: injected, the header line split can cause X-Custom: injected to be interpreted as a separate header. This can lead to HTTP response splitting, cache poisoning, or cross-site scripting when the reflected value is later consumed by a browser.

In a Firestore context, a second risk involves documents that store user-supplied header-like values (e.g., a redirect URL or a label) and later include them in server-generated responses. If an admin exports or displays such documents without encoding, the stored CRLF characters can be reflected into headers when the export is processed by a vulnerable route. The combination of Firestore as a data store and Fiber’s header manipulation creates a chain where persistence amplifies injection impact.

The LLM/AI Security checks unique to middleBrick are designed to detect system prompt leakage and prompt injection attempts; while not directly tied to Crlf Injection, they highlight the broader need to validate and sanitize all external inputs, including metadata that may eventually reach headers or AI endpoints.

Remediation focuses on two areas: preventing CRLF injection in headers and ensuring Firestore document values that may be reflected are sanitized. Do not trust document IDs or fields that may be used in headers. Use strict allow-lists for IDs and encode or remove CRLF characters when reflecting user data.

1. Validate and sanitize document IDs before using them in Firestore lookups or headers. Reject IDs containing control characters or enforce a pattern (e.g., alphanumeric with underscores).

2. When setting headers, ensure values are sanitized. Remove or encode \r and \n characters. Below is a secure version of the earlier route:

const app = require('fastify')();

// Allow-list validation for document IDs
function isValidDocId(id) {
  return typeof id === 'string' && /^[a-zA-Z0-9_-]{1,100}$/.test(id);
}

// Sanitization helper to remove CRLF
function stripCRLF(value) {
  return value.replace(/[\r\n]+/g, '');
}

app.get('/doc', async (req, res) => {
  const rawId = req.query.id;
  if (!isValidDocId(rawId)) {
    return res.status(400).send('Invalid document ID');
  }
  const docId = stripCRLF(rawId);
  const docRef = doc(db, 'items', docId);
  const snap = await getDoc(docRef);
  if (snap.exists()) {
    // Safe: sanitized before reflection
    res.set('X-Document-ID', docId);
    res.send(snap.data());
  } else {
    res.status(404).send('Not found');
  }
});

3. If you store URLs or labels in Firestore that may be used in redirects or headers, sanitize them at write time or escape them at render time. For redirects, prefer using a strict allow-list of destinations rather than user-supplied URLs. If you must store arbitrary strings, remove or encode CRLF characters on input:

// Example: sanitizing a user-supplied label before storing
const userLabel = req.body.label; // may contain CRLF
const safeLabel = stripCRLF(userLabel);
await setDoc(doc(db, 'labels', 'someId'), { text: safeLabel });

4. For exports or batch operations that reflect Firestore data into headers, apply the same stripping and validation. Treat any data that has passed through Firestore as potentially hostile when it reaches HTTP boundaries.

middleBrick’s scans can help identify Crlf Injection and related header manipulation issues by testing unauthenticated attack surfaces. If you use the CLI, you can run middlebrick scan <url> to get prioritized findings and remediation guidance, or integrate the GitHub Action to fail builds when risky headers are detected.