HIGH insecure direct object referencefeathersjscockroachdb

Insecure Direct Object Reference in Feathersjs with Cockroachdb

Scan for insecure direct object reference in feathersjs

Insecure Direct Object Reference in Feathersjs with Cockroachdb — how this specific combination creates or exposes the vulnerability

Insecure Direct Object Reference (IDOR) occurs when an API exposes a reference—such as a database primary key or record ID—to the client and uses that reference directly to access or modify resources without verifying that the authenticated subject is authorized for that specific object. In a Feathersjs application backed by Cockroachdb, this typically arises when a service route accepts a user-supplied id parameter and uses it in a query without contextual authorization checks.

Consider a Feathersjs service defined with the App Sequelize ORM adapter pointing to a Cockroachdb instance. A route like GET /messages/:id might retrieve a message by ID. If the service handler does not scope the query to the requesting user, an attacker can enumerate numeric or predictable IDs and read messages belonging to other users. This is an unauthenticated or low-privilege access path that bypasses intended ownership boundaries.

Feathersjs services often rely on hooks for authorization. If the hook layer is incomplete—for example, only checking whether a record exists rather than whether the requesting subject owns or is permitted to access that record—an IDOR vulnerability is present. Attackers may leverage this to access administrative endpoints or other tenants’ data in a multi-tenant schema where tenant identifiers are not consistently enforced at the query layer.

Cockroachdb’s SQL semantics do not inherently prevent IDOR; they behave like any relational database in returning rows when constraints are not applied. The risk is introduced by the application layer. For instance, a raw query such as SELECT * FROM messages WHERE id = $1 parameterized with an attacker-controlled ID will return the record if it exists, regardless of ownership. Without additional predicates such as user_id = $2 tied to the authenticated subject, the database faithfully returns the targeted data, enabling horizontal privilege escalation.

Real-world attack patterns mirror OWASP API Top 10 A1: Broken Object Level Authorization. In regulated environments, exposure of other users’ PII or modification of financial records via guessed IDs can violate compliance requirements such as GDPR or HIPAA. Because Feathersjs can auto-generate CRUD routes, developers might overlook the need to scope every query by tenant or user context, especially when using Cockroachdb’s distributed nature where data locality does not enforce tenant isolation.

An example of a vulnerable Feathersjs service using Sequelize with Cockroachdb might look like this, where the hook does not restrict by user:

// services/messages/messages.service.js
const { Service } = require('feathers-sequelize');

class MessageService extends Service {
  async find(params) {
    // Vulnerable: no user scoping
    return super.find(params);
  }

  async get(id, params) {
    // Vulnerable: direct ID lookup without ownership check
    return super.get(id, params);
  }
}

module.exports = function (app) {
  const options = {
    name: 'messages',
    Model: app.get('sequelize').models.Message,
    pagination: app.get('pagination')
  };
  app.use('/messages', new MessageService(options));
};

If the hook that calls find or get does not append a where: { userId: params.user.id } constraint, the service will expose IDOR. Cockroachdb will return the requested row if the ID is valid, leading to unauthorized data access.

Cockroachdb-Specific Remediation in Feathersjs — concrete code fixes

Remediation centers on ensuring every data access path enforces ownership or tenant scoping. In Feathersjs with Cockroachdb, this means modifying Sequelize models and hooks to include user context in queries, avoiding reliance on client-supplied IDs alone.

First, ensure your service hooks append a scope condition. In a Feathersjs before hook, augment the query’s where clause to include the authenticated user’s ID. For a typical user-scoped message service:

// hooks/message-hooks.js
const globalHooks = require('../../../hooks');

exports.ensureScope = function () {
  return async context => {
    const { user } = context.params;
    if (user && user.id) {
      // Scope all queries to the requesting user
      context.params.sequelize = {
        ...context.params.sequelize,
        where: {
          ...context.params.sequelize?.where,
          userId: user.id
        }
      };
    } else {
      throw new Error('Unauthorized');
    }
    return context;
  };
};

Apply this hook to the service so that both find and get include the predicate. For Cockroachdb, this results in SQL like SELECT * FROM messages WHERE id = $1 AND user_id = $2, preventing cross-user reads.

Second, avoid exposing internal IDs directly when feasible. Use UUIDs or hash-based identifiers that do not leak enumeration patterns. If you must use numeric IDs, ensure strict scoping as above. Here is a revised service setup with hooks applied:

// services/messages/messages.service.js
const { Service } = require('feathers-sequelize');
const { ensureScope } = require('./hooks');

class SecureMessageService extends Service {
  async find(params) {
    // Safe: scoped by hook
    return super.find(params);
  }

  async get(id, params) {
    // Safe: hook ensures scope includes userId
    return super.get(id, params);
  }
}

module.exports = function (app) {
  const options = {
    name: 'messages',
    Model: app.get('sequelize').models.Message,
    pagination: app.get('pagination')
  };
  const service = new SecureMessageService(options);
  service.hooks.push(globalHooks());
  service.hooks.push({
    before: {
      all: [ensureScope()],
      find: [],
      get: [],
      create: [],
      update: [],
      patch: [],
      remove: []
    }
  });
  app.use('/messages', service);
};

For multi-tenant Cockroachdb deployments, include a tenant identifier in the where clause. If tenant IDs are stored on the user record:

// hooks/tenant-hooks.js
exports.ensureTenantScope = function () {
  return async context => {
    const { user } = context.params;
    if (user && user.tenantId) {
      context.params.sequelize = {
        ...context.params.sequelize,
        where: {
          ...context.params.sequelize?.where,
          tenantId: user.tenantId
        }
      };
    }
    return context;
  };
};

Combine ownership and tenant hooks to harden against IDOR. Regularly review generated SQL logs from Cockroachdb to confirm predicates are applied as expected. middleBrick can be used to validate these configurations by scanning your endpoints and mapping findings to frameworks like OWASP API Top 10, providing prioritized remediation guidance without replacing developer implementation.

Related CWEs: bolaAuthorization

CWE IDNameSeverity
CWE-250Execution with Unnecessary Privileges HIGH
CWE-639Insecure Direct Object Reference CRITICAL
CWE-732Incorrect Permission Assignment HIGH
Scan for insecure direct object reference in feathersjs Free API security scan

Frequently Asked Questions

Can IDOR be detected by scanning an OpenAPI spec alone?
OpenAPI spec analysis can highlight missing authorization constraints on parameters, but runtime behavior must be tested. middleBrick scans unauthenticated attack surfaces and cross-references spec definitions with live findings to identify potential IDOR patterns.
Does using UUIDs instead of integers fully prevent IDOR?
UUIDs reduce predictability, but they do not replace authorization checks. An attacker can still manipulate UUIDs to access unauthorized resources if scoping is missing. Always enforce ownership or tenant context on the server side.

Related Pages

Insecure Direct Object Reference in FeathersjsLearn how Insecure Direct Object Reference vulnerabilities manifest in Feathersjs applications, with specific detection Insecure Direct Object Reference in CockroachdbLearn how Insecure Direct Object Reference vulnerabilities manifest in Cockroachdb applications, how to detect them withCis: Insecure Direct Object ReferenceLearn how Insecure Direct Object Reference (IDOR) manifests, how to detect it with middleBrick, and how to remediate it Insecure Direct Object Reference in Feathersjs on CloudflareUnderstand IDOR in Feathersjs behind Cloudflare and apply code-level hooks plus Cloudflare request validation to enforceOwasp Api Top 10: Insecure Direct Object Reference in FeathersjsUnderstand OWASP API Top 10 IDOR in FeathersJS and apply concrete hooks-based fixes with code examples.Hipaa: Insecure Direct Object Reference in FeathersjsExplore IDOR in FeathersJS under HIPAA: understand risks and apply concrete hooks-based fixes to enforce ownership and aGdpr: Insecure Direct Object Reference in FeathersjsExplore GDPR risks in IDOR with Feathersjs, see concrete vulnerable and secure code examples, and learn remediation pattNist: Insecure Direct Object Reference in FeathersjsExplore IDOR with FeathersJS under NIST guidance: understand how insecure direct object references arise and apply concrInsecure Direct Object Reference in Feathersjs with Jwt TokensIDOR in FeathersJS with JWT tokens: causes and code-level fixes to scope data access to the authenticated subject.Insecure Direct Object Reference in Feathersjs with Api KeysUnderstand IDOR with API keys in FeathersJS and implement scoped queries with hooks for secure endpoints.Insecure Direct Object Reference in Feathersjs with Hmac SignaturesInsecure Direct Object Reference in FeathersJS with Hmac Signatures: how IDOR persists and concrete Hmac-based fixes witInsecure Direct Object Reference in Feathersjs with Basic AuthUnderstand IDOR in FeathersJS with Basic Auth: causes, real code examples, and remediation patterns including scoped hoo