Nosql Injection in Fastapi with Hmac Signatures

Nosql Injection occurs when user-controlled input is interpreted as part of a database query rather than as a literal value. In Fastapi applications that rely on Hmac Signatures for request authentication, a common pattern is to include the signature as a query or header parameter, then use that value to build queries, for example by passing it directly into a MongoDB aggregation or a DynamoDB condition. If the Hmac value is concatenated into a query string without strict validation or type casting, an attacker can inject operators such as $ne, $gt, or $regex into the Hmac parameter, altering the query logic.

Consider a Fastapi endpoint that authenticates requests using an Hmac signature derived from selected headers and the request path. If the application uses the signature value to filter documents, such as db.users.find({ "hmac": request_hmac }), and the Hmac is supplied by the client, an attacker may supply {"$ne": ""} as the signature. Depending on driver behavior and query construction, this can bypass authentication or cause the query to return unintended records. The combination of Hmac Signatures and Nosql Injection is risky because developers may trust the signature as a verified value, inadvertently allowing untrusted input to flow into the database layer.

OpenAPI/Swagger spec analysis can surface these risks when parameter schemas define the Hmac field as a generic string without strict pattern constraints. Without schema-enforced format rules, runtime behavior may differ from expectations, especially when the spec uses $ref to share a definition across paths and the implementation does not sanitize or validate the referenced model. middleBrick scans such endpoints, checking input validation and authentication boundaries, and may flag missing format enforcement for Hmac-like parameters as a finding under Input Validation and Authentication checks.

Another angle involves logging or error handling. If a Fastapi application logs the raw Hmac value from requests and that log is later aggregated with database queries, an injected operator could affect log parsing or be used in log injection scenarios. SSRF and Unsafe Consumption checks in middleBrick can help identify endpoints where external input reaches both authentication and downstream consumption paths, highlighting areas where separation of concerns is weak.

Inventory Management and Property Authorization checks further reveal whether the Hmac-related data is included in asset inventories or exposed through overly permissive property-level rules. When an Hmac parameter is treated as user data rather than a cryptographic proof, the risk of it being coerced into a Nosql Injection increases. By correlating runtime findings with spec definitions, security teams can see whether the Hmac field appears in models that also contain database identifiers, increasing the impact of a successful injection.

Remediation focuses on treating the Hmac signature as an immutable, verified token rather than query input. In Fastapi, this means validating the signature before it touches any database driver and ensuring it never participates in query construction. Below are concrete code examples that demonstrate a secure pattern.

First, define a dependency that extracts and verifies the Hmac signature using a constant-time comparison. Use a strong key stored in environment variables and a well-known algorithm such as HmacSHA256.

import os
import hmac
import hashlib
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer

def get_signing_key():
    key = os.getenv("HMAC_SECRET_KEY")
    if not key:
        raise RuntimeError("HMAC secret key is not configured")
    return key.encode("utf-8")

def verify_hmac_signature(credentials: HTTPAuthorizationCredentials = Depends(HTTPBearer())):
    provided = credentials.credentials
    expected_b64 = hmac.new(
        get_signing_key(),
        msg=provided.encode("utf-8"),
        digestmod=hashlib.sha256
    ).digest()
    expected = base64.urlsafe_b64encode(expected_b64).decode("utf-8")
    if not hmac.compare_digest(provided, expected):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid signature"
        )
    return provided

Use this dependency on routes that require authentication, and avoid passing the signature value into query builders. Instead, after verification, map the request to a known principal or scope that your database queries can safely use.

Second, structure your database queries to exclude any user-controlled values that resemble signatures. For MongoDB, use an exact match on a precomputed server-side value rather than a client-supplied one:

from pymongo import MongoClient
client = MongoClient()
db = client["mydb"]

# Assume user_id and a server-side derived token are used
record = db.users.find_one({
    "user_id": user_id,
    "auth_token": server_computed_token  # not client-supplied
})

For DynamoDB with boto3, use a key condition that references only partition and sort keys, and validate the Hmac signature separately before constructing the request:

import boto3
from botocore.exceptions import ClientError

dynamodb = boto3.resource("dynamodb")
table = dynamodb.Table("my_table")

response = table.query(
    KeyConditionExpression=Key("pk").eq("user#123") & Key("sk").eq("metadata"),
)

Third, enforce strict schema definitions in your OpenAPI spec for any Hmac-like parameter, using format patterns and explicit examples. This enables middleBrick’s OpenAPI/Swagger spec analysis to validate that the Hmac field does not inadvertently overlap with database model definitions.

Finally, enable the GitHub Action to add API security checks to your CI/CD pipeline and set a threshold so that builds fail if the risk score drops below your acceptable level. The CLI tool can be integrated into scripts to automate scanning of staging APIs before deploy, ensuring that changes do not introduce regressions in authentication or input validation.