Email Injection in Chi with Api Keys

Email injection in the Chi web framework occurs when user-controlled input is concatenated into email headers without validation or sanitization. When API keys are used for authentication or tracking, developers sometimes embed them directly in headers or logs, inadvertently creating pathways for injection. For example, an endpoint that sends a notification email might read an API key from request headers and include it in a custom header or message body. If the API key value is taken from user input and inserted into a header like Cc:, Bcc:, or Subject: without sanitization, an attacker can inject additional headers or control the message routing.

Chi routes are pattern-matched and handlers are composed explicitly, so injection typically arises at the application layer rather than the framework itself. Consider a handler that builds an email using values from the request:

// Risky handler that concatenates user input into email headers
let apiKey = req.header("x-api-key") || "";
let recipient = req.query["to"] || "[email protected]";
let subject = "API Key: " + apiKey;
let email = Email.create({
  to: recipient,
  subject: subject,
  body: "Request processed.",
});
Email.send(email);

An attacker can supply a crafted API key or to parameter containing newline sequences (e.g., [email protected]\nCc: [email protected]) to add extra recipients or alter the email path. Because Chi does not automatically sanitize header values, the concatenated API key becomes a vector for email header manipulation. This can lead to spam relay, information disclosure, or phishing via compromised headers. The vulnerability is not in Chi’s routing, but in how developers handle and compose headers using external data, especially when API keys are treated as implicit trust anchors.

Because middleBrick scans the unauthenticated attack surface, it can detect unsafe concatenation patterns in endpoints that involve email composition and key usage. Findings include missing input validation on header-derived values and lack of canonicalization before logging or messaging. The scanner maps these to the OWASP API Top 10 and provides prioritized remediation guidance.

Remediation focuses on strict validation, avoiding header concatenation with external data, and using structured email APIs that separate metadata from content. Never directly interpolate values into email headers. Instead, use a dedicated email library that enforces header safety, and treat API keys as opaque credentials stored server-side, not exposed to clients or logs.

Secure handler example using Chi and a safe email interface:

// Secure handler: validate inputs and avoid header injection
let apiKey = req.header("x-api-key");
if (!apiKey || !/^[A-Za-z0-9\-_]+$/.test(apiKey)) {
  return Response.json({ error: "Invalid API key" }, { status: 400 });
}
let recipient = req.query["to"];
if (!recipient || !/^[\w._%+-]+@[\w.-]+\.[a-zA-Z]{2,}$/.test(recipient)) {
  return Response.json({ error: "Invalid recipient" }, { status: 400 });
}
// Use a safe email builder that does not allow custom headers from input
let email = Email.create({
  to: recipient,
  subject: "Request processed",
  body: "Request processed.",
});
// If you must tag emails, use metadata fields supported by the library,
// not custom headers that can be influenced by API key or user input.
Email.send(email);
Key practices:
Validate and sanitize all inputs with strict allowlists, especially for email headers and recipient addresses.
Do not concatenate API keys or other secrets into email headers, URLs, or logs.
Use library functions that separate header construction from content, preventing newline-based injection.
Rotate API keys and avoid exposing them in client-side code or error messages.
Leverage middleBrick’s CLI to scan endpoints for such patterns: middlebrick scan <url>, and integrate scans into CI/CD with the GitHub Action to fail builds on risky header usage.