Formula Injection in Feathersjs with Cockroachdb

Formula Injection occurs when untrusted user input is concatenated into database queries or computed expressions, allowing an attacker to manipulate logic or extract data. In a Feathersjs application using Cockroachdb, this risk arises when service methods directly interpolate external values into SQL-like statements or query builders without validation or parameterization.

Feathersjs abstracts database interactions through hooks and services. If a service uses raw queries or query builders that embed user-controlled fields (e.g., $where, raw, or dynamic sequelize-style conditions) without sanitization, an attacker can inject crafted expressions. With Cockroachdb, which supports PostgreSQL wire protocol and standard SQL syntax, injected formulas can alter query behavior, bypass filters, or cause unintended data access.

Consider a Feathers service that retrieves user records with a dynamic filter:

app.service('users').find({
  query: {
    $where: "id = " + req.query.id + " AND active = true"
  }
});

If req.query.id is controlled by an attacker, they can inject 1; DROP TABLE users; -- or 1 OR 1=1, leading to data exposure or modification. Cockroachdb will execute the injected SQL as part of its distributed SQL engine, propagating the malicious logic across nodes. Because Feathersjs does not inherently sanitize these inputs, the vulnerability manifests at the database layer.

Another common pattern involves dynamic sorting or field selection:

app.service('products').find({
  query: {
    sort: req.query.sort // e.g., "price; DROP TABLE products--"
  }
});

Here, unsanitized input can break query structure, enabling privilege escalation or data exfiltration. Cockroachdb’s compatibility with PostgreSQL syntax means attackers can exploit standard SQL injection techniques, including time-based blind injection using pg_sleep or conditional boolean expressions.

The LLM/AI Security checks in middleBrick specifically test for such injection paths by probing endpoints with payloads designed to extract system prompts or manipulate control flow. While middleBrick does not fix these issues, its findings include prioritized guidance and remediation steps mapped to OWASP API Top 10 and compliance frameworks.

To mitigate Formula Injection in Feathersjs with Cockroachdb, always treat user input as untrusted and enforce strict parameterization and validation. Use Feathers hooks to sanitize inputs before they reach service methods, and prefer query builders that support parameterized statements.

1. Use Feathers hooks with validation libraries

Apply a hook to validate and sanitize query parameters. For example, using @feathersjs/validator:

const { iff, isProvider, preventChanges } = require('feathers-hooks-common');
const { validator } = require('@feathersjs/validator');

app.service('users').hooks({
  before: {
    find: [
      iff(isProvider('external'), validator({
        id: { in: 'uuid' },
        sort: { whitelist: ['createdAt', 'updatedAt', 'name'] }
      }))
    ]
  }
});

This ensures that id conforms to UUID format and sort only allows predefined safe fields, neutralizing injection attempts.

2. Parameterized queries with Sequelize ORM

If using Sequelize with Cockroachdb, leverage parameterized where clauses instead of raw strings:

const users = await app.service('users').Model.findAll({
  where: {
    id: req.query.id,
    active: true
  }
});

Sequelize automatically escapes inputs, preventing formula injection. Avoid .query() with concatenated strings.

3. Raw query parameterization

When raw queries are unavoidable, use placeholders supported by Cockroachdb’s PostgreSQL interface:

const result = await app.service('users').Model.sequelize.query(
  'SELECT * FROM users WHERE id = $1 AND active = $2',
  {
    replacements: [req.query.id, true],
    type: sequelize.QueryTypes.SELECT
  }
);

The $1, $2 syntax ensures inputs are treated as data, not executable code. This pattern works across Cockroachdb clusters and prevents injection.

4. Disable unsafe query modes

Ensure Feathersjs services do not enable raw or unsafe query passthrough. Review service configurations to avoid exposing endpoints that accept unvalidated $where or $select operators.

Using the CLI tool, you can scan your endpoints to detect such risks:

middlebrick scan https://api.example.com/openapi.json

Results will highlight injection-prone endpoints, and the Web Dashboard can track remediation progress. The Pro plan enables continuous monitoring to catch regressions early.