Request Smuggling in Axum with Cockroachdb
Request Smuggling in Axum with Cockroachdb — how this specific combination creates or exposes the vulnerability
Request smuggling is an HTTP protocol-level attack that exploits discrepancies in how front-end and back-end servers handle message framing—typically Content-Length versus Transfer-Encoding headers. When Axum, a Rust web framework, is placed behind a proxy or load balancer and is paired with Cockroachdb as the backend datastore, the combination can expose or create smuggling risks if header parsing is inconsistent between layers.
Axum applies middleware such as tower-http for compression, routing, and body handling. If Axum is configured to buffer and forward requests without strict normalization of Content-Length and Transfer-Encoding, an attacker can craft a request where the front-end accepts one message length while Axum interprets the body differently. This can cause Axum to read the next request’s headers as part of the current body, leading to request splitting or insertion.
Cockroachdb does not directly participate in HTTP parsing, but it becomes relevant when Axum processes requests that conditionally execute database operations based on manipulated headers or body content. For example, an injected request might trick Axum into issuing unintended SQL statements or bypassing intended routing logic before reaching Cockroachdb. Because Axum’s runtime behavior can vary depending on how headers are interpreted, smuggling can lead to authentication bypass or unauthorized data access when requests are forwarded to backend handlers that ultimately query Cockroachdb.
In practice, the vulnerability surfaces when:
- Axum is behind a reverse proxy that handles Transfer-Encoding, while Axum also parses Content-Length.
- Body payloads are not strictly validated before being used to construct database queries or commands sent to Cockroachdb.
- Different middleware components apply conflicting body size limits or chunk handling rules.
An attacker might send a request such as:
POST /user/profile HTTP/1.1
Content-Length: 44
Transfer-Encoding: chunked
0
GET /admin/accounts HTTP/1.1
Host: api.example.com
If Axum and the front-end proxy interpret the headers differently, the second request may be processed as part of the body, potentially reaching Axum’s routing layer and triggering database actions toward Cockroachdb without proper authentication.
Cockroachdb-Specific Remediation in Axum — concrete code fixes
Remediation focuses on strict header normalization and body handling in Axum before any Cockroachdb interaction. Ensure consistent HTTP message parsing at the edge and enforce a single interpretation of Content-Length and Transfer-Encoding.
1. Use Axum middleware to reject ambiguous requests early. For example, integrate tower-http::condition::HeaderCondition to strip or reject requests that contain both Content-Length and Transfer-Encoding.
use axum::middleware::Next;
use axum::http::request::Parts;
use std::task::{Context, Poll};
async fn reject_smuggling_headers(parts: &mut Parts, body: &mut B, next: Next<B>) -> Result<impl IntoResponse, (StatusCode, String)> {
let has_content_length = parts.headers.contains_key("content-length");
let has_transfer_encoding = parts.headers.contains_key("transfer-encoding");
if has_content_length && has_transfer_encoding {
return Err((StatusCode::BAD_REQUEST, "Ambiguous message framing".to_string()).into());
}
Ok(next.run(parts, body).await)
}
2. Normalize and limit body size before constructing database operations. Use Axum’s body::boxed with a maximum length to prevent oversized or malformed payloads from reaching Cockroachdb.
use axum::body::boxed;
use axum::http::Request;
use std::convert::Infallible;
async fn normalize_body(req: Request<B>) -> Result<Request<Box<dyn std::io::Read + Send>>, Infallible>
where
B: std::io::Read + Send + 'static,
{
let (parts, body) = req.into_parts();
let limited_body = body.take(1024 * 16); // 16 KB limit
let boxed_body = boxed(limited_body);
Ok(Request::from_parts(parts, boxed_body))
}
3. Validate and parameterize all database-bound inputs. When interacting with Cockroachdb via sqlx or tonic, use prepared statements and avoid concatenating raw headers or body fragments into queries.
use sqlx::postgres::PgPool;
use uuid::Uuid;
async fn get_user(pool: &PgPool, user_id: Uuid) -> Result<User, sqlx::Error> {
sqlx::query_as!(User, "SELECT id, name FROM users WHERE id = $1", user_id)
.fetch_one(pool)
.await
}
4. Enforce strict routing and authentication checks before any Cockroachdb call. Ensure that middleware validates session tokens or API keys and that route handlers do not rely on header-derived assumptions.
use axum::extract::State;
use crate::AppState;
async fn profile_handler(
State(state): State<AppState>,
user_id: axum::extract::Path<Uuid>,
) -> Result<impl IntoResponse, (StatusCode, String)> {
let user = state
.db
.get_user(&user_id)
.await
.map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB error"))?;
Ok(Json(user))
}
By combining strict header parsing, bounded body handling, and parameterized Cockroachdb queries, Axum applications can mitigate request smuggling risks while maintaining reliable database interactions.