Http Request Smuggling in Express with Cockroachdb
Http Request Smuggling in Express with Cockroachdb — how this specific combination creates or exposes the vulnerability
HTTP request smuggling occurs when an attacker sends a specially crafted request that is interpreted differently by front-facing infrastructure (such as a load balancer or reverse proxy) and the origin server. In an Express application backed by CockroachDB, the risk is not that CockroachDB introduces smuggling, but that the request handling path—particularly header parsing, body consumption, and routing—can be manipulated to cause request/response desynchronization. If Express parses requests inconsistently relative to an upstream proxy, an attacker can smuggle requests across security boundaries, potentially causing unauthorized access to admin routes, cache poisoning, or leaking one user’s data to another user’s session.
When CockroachDB is used as the backend data store, smuggling-related logic flaws often surface in how Express routes build and forward queries. For example, if route parameters or JSON body fields are directly interpolated into SQL without strict validation, smuggling inputs can manipulate query structure or metadata. Consider an Express route that merges user-supplied values into an SQL statement sent to CockroachDB:
app.get('/user', (req, res) => {
const { table } = req.query;
db.query(`SELECT * FROM ${table}`) // unsafe: user-controlled table name
.then(data => res.json(data.rows))
.catch(err => res.status(500).json({ error: err.message }));
});
If an upstream proxy normalizes headers differently than Express, an attacker may smuggle a second request inside the body of the first. Because CockroachDB is strongly consistent for reads within a transaction, a smuggled query that runs under an unintended transaction context could expose data that should be isolated. Moreover, if the Express app mixes authenticated and unauthenticated routes without strict route-level separation, a smuggled request may bypass intended access controls and reach endpoints backed by CockroachDB that should be protected.
The 12 parallel security checks in middleBrick highlight these risks by testing authentication, BOLA/IDOR, input validation, and rate limiting on the unauthenticated attack surface. For instance, inconsistent handling of Content-Length versus Transfer-Encoding headers between proxy and Express can allow a smuggled request to reach a CockroachDB-backed endpoint that lacks proper authorization checks. Because CockroachDB returns structured errors, an attacker can sometimes infer database schema or timing characteristics via differential responses, especially when error handling in Express exposes stack traces or SQL details.
Cockroachdb-Specific Remediation in Express — concrete code fixes
To mitigate request smuggling when Express serves a CockroachDB backend, focus on strict input validation, canonical header handling, and isolating database interactions. Below are concrete, safe patterns you can apply.
1. Validate and sanitize all user input before using it in SQL
Never directly interpolate user-controlled values into SQL strings. Use parameterized queries or an ORM that enforces separation of code and data. For CockroachDB, the pg client supports parameterized queries, which prevent injection and avoid ambiguities that could be abused in smuggling contexts.
const { Pool } = require('pg');
const pool = new Pool({ connectionString: process.env.DATABASE_URL });
app.get('/user', async (req, res) => {
const { userId } = req.params;
if (!/^[0-9a-fA-F\-]{36}$/.test(userId)) {
return res.status(400).json({ error: 'Invalid user ID' });
}
try {
const { rows } = await pool.query('SELECT id, name, email FROM users WHERE id = $1', [userId]);
if (rows.length === 0) return res.status(404).json({ error: 'Not found' });
res.json(rows[0]);
} catch (err) {
res.status(500).json({ error: 'Internal server error' });
}
});
2. Enforce strict header and body parsing policies
Configure Express to reject requests with both Content-Length and Transfer-Encoding, and ensure body parsing is consistent with your proxy. This reduces the chance that a smuggled request is misinterpreted differently by server and proxy.
const express = require('express');
const app = express();
// Limit JSON body size and reject malformed content-length combinations
app.use(express.json({ limit: '10kb' }));
app.use((req, res, next) => {
const len = req.get('content-length');
const te = req.get('transfer-encoding');
if (len && te) {
return res.status(400).json({ error: 'Conflicting Content-Length and Transfer-Encoding' });
}
next();
});
3. Isolate routes and apply least-privilege database access
Scope CockroachDB queries to the minimal required permissions and separate public-facing endpoints from admin-sensitive routes. Use route-specific pools if necessary, and avoid returning raw database errors to clients.
const publicPool = new Pool({ connectionString: process.env.PUBLIC_DB_URL });
const adminPool = new Pool({ connectionString: process.env.ADMIN_DB_URL });
app.get('/public/data/:id', async (req, res) => {
const { id } = req.params;
try {
const { rows } = await publicPool.query('SELECT id, label FROM public_data WHERE id = $1', [id]);
if (!rows.length) return res.status(404).end();
res.json(rows[0]);
} catch (err) {
res.status(500).json({ error: 'Failed to fetch data' });
}
});
By combining strict validation, canonical header handling, and least-privilege database connections, you reduce the surface for request smuggling and ensure that CockroachDB interactions remain predictable and safe.