Request Smuggling in Cockroachdb

Request smuggling (CWE-444) exploits discrepancies in how intermediaries (proxies, load balancers) and back-end servers parse HTTP request boundaries. CockroachDB's HTTP API—used for SQL execution via endpoints like /sql—is vulnerable when deployed behind a reverse proxy (e.g., nginx, Envoy) that mishandles Content-Length vs. Transfer-Encoding headers. CockroachDB's HTTP server strictly adheres to RFC 7230, but misconfigured proxies may forward ambiguous requests, allowing attackers to smuggle malicious SQL or administrative commands into the connection stream.

Two primary patterns emerge:

• CL.TE (Content-Length / Transfer-Encoding): The proxy uses Content-Length to delimit the first request, while CockroachDB (as the back-end) prioritizes Transfer-Encoding: chunked. An attacker sends a request with both headers, where the Content-Length value is smaller than the actual body. The proxy forwards only the first Content-Length bytes, but CockroachDB processes the entire chunked body, treating the excess as a new, smuggled request.
• TE.CL (Transfer-Encoding / Content-Length): The proxy processes Transfer-Encoding: chunked first, dechunks the body, then uses Content-Length on the dechunked stream. CockroachDB, however, may see the original chunked encoding. If the proxy incorrectly forwards the dechunked body with a Content-Length header, CockroachDB might read past the intended boundary, merging requests.

CockroachDB's distributed nature amplifies impact: a smuggled request could execute SET commands altering cluster-wide SQL defaults, or BACKUP/RESTORE operations if the compromised SQL user has privileges. For example, a smuggled DROP TABLE could run under the connection's authentication context, bypassing application-layer checks. The attack requires the victim's HTTP API endpoint to be exposed (often at https://<cockroachdb-host>:8080 or via a proxy path) and a vulnerable proxy configuration.

Detecting request smuggling in CockroachDB deployments involves testing the HTTP API (/sql endpoint) for header parsing inconsistencies. Manual testing uses tools like Burp Suite or curl to send ambiguous requests and observe response anomalies (e.g., delayed responses, HTTP 400/411 errors, or unexpected SQL errors). However, systematic scanning requires an automated tool that can:

• Send crafted CL.TE and TE.CL payloads targeting the /sql endpoint.
• Analyze response timing, status codes, and body content for evidence of request conflation (e.g., two SQL statements in one response, or errors indicating partial parsing).
• Correlate findings with CockroachDB's specific error messages (e.g., syntax error at or near for injected SQL, or permission denied for privilege escalation attempts).

Using middleBrick for Detection
middleBrick's scanner includes an Input Validation check that tests for HTTP request smuggling anomalies. Submit your CockroachDB HTTP API URL (e.g., https://db.example.com:8080/sql) to receive a risk score and per-category breakdown. The scan sends a sequence of smuggling probes and analyzes CockroachDB's responses. A finding might appear as:

{
  "check": "Input Validation",
  "severity": "high",
  "title": "Potential HTTP Request Smuggling (CL.TE)",
  "evidence": "Response body contained 'syntax error' after smuggled 'DROP TABLE'",
  "remediation": "Ensure reverse proxy normalizes or rejects ambiguous Content-Length/Transfer-Encoding headers."
}

middleBrick's Data Exposure check may also flag if smuggled requests extract sensitive data (e.g., SHOW TABLES). The scanner does not require credentials, focusing on the unauthenticated attack surface. For CI/CD integration, use the middlebrick CLI or GitHub Action to automatically scan staging CockroachDB endpoints before deployment:

middlebrick scan https://staging-db.example.com:8080/sql --output json

This flags smuggling regressions early, mapping findings to OWASP API Top 10:API4 (2023) and PCI-DSS requirement 6.5.1.

Remediation focuses on proxy configuration and CockroachDB's HTTP server hardening. Since middleBrick only detects, these steps must be implemented by your infrastructure team.

1. Normalize Proxy Headers
Configure your reverse proxy (nginx, Envoy, HAProxy) to reject or sanitize ambiguous requests. For nginx, ensure proxy_set_header directives do not blindly forward client headers. Example nginx config snippet:

location /sql {
    proxy_pass http://cockroachdb:8080;
    # Remove Transfer-Encoding from incoming requests to force Content-Length usage
    proxy_set_header Transfer-Encoding "";
    # Alternatively, explicitly set Content-Length from the dechunked body
    # (requires nginx's proxy_http_version 1.1 and chunked_transfer_encoding off)
    proxy_http_version 1.1;
    chunked_transfer_encoding off;
    # Limit maximum request body size
    client_max_body_size 1m;
}

For Envoy, use request_headers_to_remove to strip Transfer-Encoding or Content-Length selectively, and enable http1_protocol_options with allow_absolute_url disabled.

2. Harden CockroachDB's HTTP Server
CockroachDB provides flags to restrict HTTP endpoint behavior. Start cockroach with:

--http-addr=0.0.0.0:8080 \
--http-max-request-size=1MiB \
--http-require-secure=true

--http-max-request-size limits body size, reducing blast radius of smuggled payloads. --http-require-secure forces HTTPS, preventing proxy downgrade attacks. Note: CockroachDB does not natively deconflict Content-Length vs. Transfer-Encoding; rely on the proxy to send well-formed requests.

3. Use Parameterized SQL via HTTP API
Always use prepared statements with parameters to mitigate SQL injection via smuggled payloads. Example using curl:

curl -X POST https://db.example.com:8080/sql \
  -d 'database=myapp' \
  -d 'sql=SELECT * FROM users WHERE id = $1' \
  -d 'args=[123]'

This ensures user input is bound, not interpolated. Combined with least-privilege SQL roles, it limits damage if smuggling occurs.

4. Continuous Monitoring
Deploy middleBrick's GitHub Action to scan the /sql endpoint on every PR. Configure the Pro plan's continuous monitoring to alert on score drops. Example workflow:

name: API Security Scan
on: [pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: middlebrick/github-action@v1
        with:
          url: ${{ secrets.COCKROACHDB_HTTP_URL }}
          fail-threshold: 'B'

This fails builds if request smuggling (or other issues) lowers the score below B.

CockroachDB's HTTP API differs from generic REST APIs because it directly executes SQL over HTTP, often with high-privilege service accounts. Unlike JSON:API endpoints that accept structured data, /sql expects sql and args parameters, making it prone to smuggling if the proxy mishandles chunked encoding. Additionally, CockroachDB's distributed SQL engine may process a single smuggled request across multiple nodes, complicating logging and forensics. The risk is heightened when the HTTP API is exposed to the internet without a WAF, as many cloud deployments do for administrative convenience.