Out Of Bounds Write in Fastapi with Hmac Signatures

An Out Of Bounds Write occurs when data controlled by an attacker is written outside the intended memory boundaries, which in web API contexts often manifests as unexpected mutation of adjacent data, buffer-like behavior in structured objects, or unsafe deserialization paths. In FastAPI, this risk can emerge when an endpoint trusts unchecked input lengths or offsets and then writes into arrays, byte buffers, or structured models without proper bounds enforcement.

Combining FastAPI with Hmac Signatures introduces a specific attack surface: the Hmac signature is typically used to verify integrity and authenticity of requests, but if the application uses the signature or its derived values in unsafe ways—such as indexing into arrays, controlling loop bounds, or determining slice lengths—an attacker can manipulate payloads or signature-related metadata to trigger out-of-bounds behavior.

Consider a scenario where a FastAPI endpoint validates an Hmac signature and then uses a user-supplied index or length derived from the payload or signature metadata to slice or write into a buffer-like structure (e.g., a bytearray, list, or memoryview). If the index or length is not strictly validated, an attacker can supply values that cause writes beyond allocated boundaries. This can corrupt adjacent data structures, overwrite critical fields, or lead to unstable runtime states.

In OpenAPI/Swagger specs, such vulnerabilities often hide in parameters that control pagination, batch operations, or chunked processing, especially when combined with Hmac-based request authentication. For example, an endpoint that accepts offset and limit query parameters and uses an Hmac signature to authorize the request may still perform unchecked writes if limit is used to allocate or size a buffer without validating it against actual data sizes.

During black-box scanning, middleBrick tests these combinations by sending manipulated inputs and Hmac signatures to detect anomalous behavior, such as unexpected response codes, data corruption indicators, or server errors that suggest boundary violations. Because the scan operates without authentication, it focuses on the unauthenticated attack surface where input validation and signature usage intersect.

Real-world patterns include using Hmac signatures in webhook payloads where the receiver trusts the signature but processes message fields with unchecked indices or lengths. Another pattern is using Hmac-based tokens to authorize batch update requests where the batch size is not bounded, enabling an attacker to influence memory operations through crafted payload sizes.

To detect this, middleBrick runs checks such as Input Validation and Unsafe Consumption in parallel, cross-referencing OpenAPI definitions with runtime findings. If the spec defines numeric constraints but the runtime accepts out-of-range values, a high-severity finding is generated with remediation guidance specific to bounding writes and signature handling.

Remediation focuses on strict validation of all inputs that influence memory operations, independent of Hmac signature validity. The Hmac verification should only confirm integrity and origin; it must not be used to decide how much data to read or where to write.

Below is a secure FastAPI example that validates an Hmac signature and then processes a payload with bounded, validated parameters:

from fastapi import FastAPI, Request, HTTPException, Header
from fastapi.responses import JSONResponse
import hmac
import hashlib
import json

app = FastAPI()

SECRET_KEY = b"super-secret-key"

def verify_hmac_signature(payload: bytes, signature: str) -> bool:
    computed = hmac.new(SECRET_KEY, payload, hashlib.sha256).hexdigest()
    return hmac.compare_digest(computed, signature)

@app.post("/process")
async def process_item(request: Request, x_signature: str = Header(...)):
    body = await request.body()
    if not verify_hmac_signature(body, x_signature):
        raise HTTPException(status_code=401, detail="Invalid signature")
    
    try:
        data = json.loads(body)
    except json.JSONDecodeError:
        raise HTTPException(status_code=400, detail="Invalid JSON")
    
    # Strict validation of user-controlled bounds
    items = data.get("items", [])
    if not isinstance(items, list):
        raise HTTPException(status_code=400, detail="items must be a list")
    
    max_items = 100
    if len(items) > max_items:
        raise HTTPException(status_code=400, detail=f"items exceeds maximum of {max_items}")
    
    # Safe processing: no use of user input as memory index without bounds check
    results = []
    for idx, item in enumerate(items):
        # Ensure idx is within safe range before any slice/write operations
        if idx < 0 or idx >= max_items:
            raise HTTPException(status_code=400, detail="Invalid item index")
        # Perform safe transformation
        results.append({"position": idx, "value": item})
    
    return JSONResponse(content={"processed": len(results), "data": results})

Key remediation practices:

• Never derive buffer sizes, slice lengths, or memory offsets directly from Hmac-signature-dependent fields.
• Validate all numeric inputs (offset, limit, index) against defined ranges before using them in slicing or memory operations.
• Use constants for maximum sizes and enforce them before any allocation or write.
• Keep Hmac verification separate from business logic that determines data structure sizes.
• Leverage FastAPI’s built-in validation (Pydantic models) to enforce types and constraints, ensuring that user-controlled values cannot trigger out-of-bounds writes.

For continuous protection, the Pro plan’s continuous monitoring can be configured to alert if scans detect endpoints that accept unbounded inputs alongside Hmac authentication, while the GitHub Action can fail builds when such risky patterns are present in OpenAPI specs.