Http Request Smuggling in Fiber with Cockroachdb
Http Request Smuggling in Fiber with Cockroachdb — how this specific combination creates or exposes the vulnerability
HTTP request smuggling arises when a proxy or server processes an HTTP request differently than an origin server, enabling attackers to smuggle requests across trust boundaries. In a setup where Fiber serves as the application layer and Cockroachdb is used as the distributed SQL backend, the risk is not in Cockroachdb itself but in how requests are handled and routed before they reach the database layer.
When Fiber applications parse and forward requests to downstream services or when load balancers sit in front of Fiber, differences in header parsing—especially Transfer-Encoding and Content-Length—can cause a proxy to interpret the request body one way while Fiber interprets it another. If a request is split or duplicated, an attacker may be able to inject a second request that bypasses intended routing or authentication checks. If the Fiber app then constructs database queries using parameters derived from a smuggled request (for example, taking a path or header value that should have been rejected), it may issue unintended SQL against Cockroachdb.
Consider an endpoint that accepts a numeric identifier for a tenant and then queries Cockroachdb with that identifier. If request smuggling allows an attacker to inject an additional path segment or header, the tenant identifier may be overwritten or bypassed, leading to queries running in a different tenant context or exposing data across tenants. Because Cockroachdb often stores multi-tenant data with tenant_id columns, a single malformed or injected request can lead to unauthorized cross-tenant data access if the application does not enforce strict isolation after the smuggling point.
In addition, if the Fiber app forwards requests to an upstream service or another internal component before reaching Cockroachdb—such as a caching layer or an ORM layer—smuggled requests may be processed with elevated trust. For example, a request that appears to come from an internal service due to header manipulation might skip authentication checks and execute sensitive queries. This becomes particularly dangerous when the ORM or query builder dynamically constructs SQL based on headers or path parameters that were manipulated during smuggling.
Real-world attack patterns mirror classic request smuggling techniques such as CL.TE (Content-Length header, Transfer-Encoding header) or TE.CL (Transfer-Encoding header, Content-Length header) mismatches. If the Fiber app does not strictly validate or normalize these headers before routing, an attacker can smuggle requests that reach the database layer with incorrect authentication context or query parameters, leading to data exposure or unauthorized operations in Cockroachdb.
Cockroachdb-Specific Remediation in Fiber — concrete code fixes
Remediation focuses on ensuring that request parsing is consistent and that no smuggled requests can alter authentication, tenant context, or query construction. In Fiber, enforce strict header handling and avoid relying on values that may be modified by proxies.
1. Strict Content-Length and Transfer-Encoding handling
Ensure Fiber rejects requests that contain both Content-Length and Transfer-Encoding headers. Do not attempt to normalize them; instead, return an error to prevent smuggling attempts.
const { app } = require('fastify')();
const fiber = require('express')();
// Reject requests with both headers
fiber.use((req, res, next) => {
const hasContentLength = req.headers['content-length'] !== undefined;
const hasTransferEncoding = req.headers['transfer-encoding'] !== undefined;
if (hasContentLength && hasTransferEncoding) {
return res.status(400).send('Invalid headers: Content-Length and Transfer-Encoding cannot both be present');
}
next();
});
2. Tenant isolation enforcement before database queries
Always resolve the tenant context from authenticated session data, never from request path or headers that can be manipulated. Use middleware to validate tenant context and bind it to the database client.
// tenantMiddleware.js
function tenantMiddleware(req, res, next) {
const tenantId = req.user.tenantId; // from authenticated session
if (!tenantId) {
return res.status(401).send('Unauthorized');
}
// Attach tenantId to request for downstream use
req.tenantId = tenantId;
next();
}
// In your route handler
fiber.use(tenantMiddleware);
fiber.get('/data', async (req, res) => {
const client = await pool.connect();
try {
const result = await client.query(
'SELECT * FROM tenant_data WHERE tenant_id = $1',
[req.tenantId]
);
res.json(result.rows);
} finally {
client.release();
}
});
3. Parameterized queries and ORM safeguards
Use Cockroachdb parameterized queries exclusively. Avoid string concatenation or dynamic SQL that could incorporate smuggled values. If using an ORM, ensure it does not allow raw header or path values to directly influence table or column names.
const { Pool } = require('pg');
const pool = new Pool({ connectionString: 'your-cockroachdb-url' });
async function getTenantRecord(tenantId, recordId) {
const query = {
text: 'SELECT * FROM records WHERE tenant_id = $1 AND id = $2',
values: [tenantId, recordId],
};
const result = await pool.query(query);
return result.rows;
}
4. Input validation and reject smuggling indicators
Validate and sanitize all inputs, especially any values that influence routing or SQL generation. Reject paths with unusual encodings or duplicate segments that could be used to smuggle requests.
function validatePath(path) {
if (path.includes('..') || path.includes('//')) {
throw new Error('Invalid path');
}
return path;
}
5. Consistent routing and proxy configuration
Ensure that reverse proxies or API gateways strip or reject smuggling headers before requests reach Fiber. Configure the proxy to normalize Content-Length and reject ambiguous Transfer-Encoding usage.