Log Injection in Feathersjs with Cockroachdb
Log Injection in Feathersjs with Cockroachdb — how this specific combination creates or exposes the vulnerability
Log injection occurs when untrusted input is written directly into application or system logs without proper sanitization. In a Feathersjs application backed by Cockroachdb, this typically arises from two vectors: unvalidated client-supplied data that reaches server-side logging statements, and unchecked interpolation of database metadata or errors into logs. Feathersjs, being a framework that favors REST and real-time APIs, often exposes request context (query parameters, payload fields, user identifiers) and service hooks that can propagate raw input into log lines. When these logs also record Cockroachdb-specific details—such as SQL error messages, table names, or connection identifiers—attackers can inject newline or control characters that alter the log structure or inject additional log entries.
Consider a Feathersjs service that logs every create call with user input directly concatenated:
app.service('todos').hooks({
before: {
create: async context => {
const { text, userId } = context.data;
console.log(`Creating todo for user ${userId}: ${text}`);
return context;
}
}
});
If text or userId contains newline characters (e.g., userId: "123\nWARN system compromised"), the log entry can spawn multiple lines, enabling log forging or obscuring the true sequence of events. Cockroachdb can exacerbate this when error objects are logged verbatim. For example, a database constraint violation might return a detailed error that includes query text or table names; if this is included in logs without sanitization, attackers can inject crafted content:
try {
await context.app.service('todos').Model.create(context.data);
} catch (err) {
console.error('DB write failed:', err.message);
}
An attacker could supply input that triggers a Cockroachdb error containing newline and comment sequences, such as '); --
admin=true --, which when logged can make malicious entries appear authoritative. Even structured logging formats like JSON can be compromised if newlines are embedded in string fields, breaking log parsers and enabling injection-based log forging attacks. The OWASP API Top 10 category API1:2023 Broken Object Level Authorization often pairs with log injection when attackers manipulate IDs to include log-affecting payloads, and middleBrick’s BOLA/IDOR and Input Validation checks help surface these risks.
In environments using Cockroachdb’s wire protocol or server-side logging extensions, additional risk arises from misconfigured logging of connection or transaction metadata. If Feathersjs hooks log transaction IDs or session handles that include unescaped user input, injected newlines can cause log forging or facilitate log-based blind injection. Because log injection does not always produce immediate exploitation, it is frequently overlooked until used in conjunction with other weaknesses. middleBrick’s LLM/AI Security and Input Validation scans specifically test for newline injection and structured log breakage, providing prioritized findings with remediation guidance to ensure logs remain reliable for audit and troubleshooting.
Cockroachdb-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on strict input validation, structured logging with escaping, and safe error handling that avoids exposing Cockroachdb internals. In Feathersjs, implement a global before hook that sanitizes relevant fields and ensures log entries remain single-line and structured. Use libraries designed for safe logging and parameterized formatting to prevent concatenation-based injection.
First, validate and sanitize inputs for known dangerous characters. For example, strip or reject newline and carriage return characters from user-controlled fields before they reach logging or database layers:
const sanitize = (str) => {
if (typeof str !== 'string') return str;
return str.replace(/[\r\n]+/g, ' ').trim();
};
app.service('todos').hooks({
before: {
create: async context => {
const { text, userId } = context.data;
context.data.text = sanitize(text);
context.data.userId = sanitize(userId);
return context;
}
}
});
Second, use structured logging with a dedicated logger that escapes newlines and avoids string interpolation for dynamic content. For JSON-formatted logs, ensure fields are properly encoded:
const logger = {
info: (obj) => console.log(JSON.stringify({ level: 'info', ...obj })),
error: (obj) => console.error(JSON.stringify({ level: 'error', ...obj }))
};
app.service('todos').hooks({
after: {
create: context => {
logger.info({
event: 'todo_created',
userId: String(context.result?.user?._id || '').replace(/[\r\n]/g, ''),
todoId: String(context.result?._id || '').replace(/[\r\n]/g, '')
});
return context;
}
}
});
Third, handle Cockroachdb errors safely by avoiding direct inclusion of raw error messages in logs. Instead, log stable error codes and sanitize the message:
try {
await context.app.service('todos').Model.create(context.data);
} catch (err) {
const safeMessage = err.message ? err.message.split('\n').join(' ') : 'unknown error';
logger.error({
event: 'db_write_failure',
code: err.code || 'UNKNOWN_ERROR',
message: safeMessage
});
throw err;
}
For production readiness, integrate middleBrick’s CLI to scan your Feathersjs endpoints and detect log injection patterns alongside BOLA/IDOR and Input Validation issues. The CLI provides JSON output that can be fed into CI/CD workflows; with the GitHub Action, you can enforce a security score threshold and fail builds if risk levels exceed your policy. Teams using the Pro plan gain continuous monitoring and Slack/Teams alerts to catch regressions early, while the Web Dashboard helps track improvements across service versions.