Request Smuggling in Feathersjs with Cockroachdb

Request smuggling arises when an HTTP request is interpreted differently by separate layers, such as a frontend proxy and the application server. In a Feathersjs application backed by Cockroachdb, the risk is not in Cockroachdb itself but in how Feathersjs services are deployed and how HTTP bodies are handled. Feathersjs applications typically run as Node.js services, often behind load balancers or API gateways that terminate TLS and forward requests. If these layers have different parsing behaviors—for example, one using chunked transfer decoding and another not—smuggled requests can reach the Feathersjs service.

When a Feathersjs service exposes a REST or Socket API without enforcing strict message size limits and robust body parsing, an attacker may craft requests that bypass intended routing or authentication checks. Consider a scenario where a request contains two Content-Length headers or uses Transfer-Encoding: chunked in a way that the proxy parses one body while Feathersjs parses another. Because Feathersjs relies on underlying HTTP server behavior and community plugins for parsing, inconsistent handling can lead to request splitting or teardrop attacks.

Although Cockroachdb is a distributed SQL database and does not parse HTTP, it becomes relevant when Feathersjs services execute raw or poorly parameterized database queries in response to manipulated request inputs. For example, if a smuggled request modifies query parameters or path variables that are later used in a Cockroachdb client call, unintended data access or injection-like outcomes may occur in the application logic layer. Attack patterns such as CRLF injection can manipulate headers to affect routing within the Feathersjs middleware stack, potentially exposing other services or changing the intended database operation context.

Real-world references include common web vulnerabilities mapped to OWASP API Top 10, such as Broken Object Level Authorization (BOLA), where smuggling can alter resource identifiers to access unauthorized data. In regulated environments, improper request handling may also implicate compliance with SOC2 and GDPR if sensitive data is exposed or modified. Tools like middleBrick can detect inconsistencies in how endpoints handle malformed or ambiguous requests, highlighting these risks in scans that test the unauthenticated attack surface in 5–15 seconds.

To illustrate, a vulnerable Feathersjs hook might trust headers forwarded by a proxy without revalidation:

app.hooks({
  before: {
    all: [context => {
      // Risk: trusting X-Forwarded-* without validation
      const clientIp = context.headers['x-forwarded-for'] || context.ip;
      context.params.remoteAddress = clientIp;
      return context;
    }]
  }
});

An attacker could smuggle a request with a modified X-Forwarded-For header to change apparent source identity, which the service may use in logging or authorization checks that indirectly affect Cockroachdb query behavior.

Remediation focuses on hardening Feathersjs services to ensure consistent request parsing and validation before any database interaction. Since Cockroachdb does not process HTTP, fixes are applied at the service and middleware layer to prevent malformed requests from reaching database calls.

First, enforce strict body parsing and limit payload sizes at the server level. Configure the underlying HTTP server options to reject ambiguous transfer encodings:

const app = require('@feathersjs/feathers')();
const express = require('@feathersjs/express');

// Use express adapter with strict settings
const server = express(app);
server.use(express.json({ limit: '10kb' }));
server.use(express.urlencoded({ extended: false, limit: '10kb' }));

// Reject requests with conflicting encodings
server.use((req, res, next) => {
  if (req.headers['transfer-encoding'] && req.headers['content-length']) {
    return res.status(400).send('Invalid headers');
  }
  next();
});

Second, validate and sanitize all inputs before using them in Cockroachdb queries. Use parameterized queries with the Cockroachdb Node.js client to avoid injection and ensure that identifiers are not smuggled:

const { Client } = require('pg'); // CockroachDB wire protocol compatible

const client = new Client({
  connectionString: process.env.DATABASE_URL
});

await client.connect();

// Safe query using parameterized values
const getUser = async (userId, context) => {
  const result = await client.query(
    'SELECT id, email FROM users WHERE id = $1 AND organization_id = $2',
    [userId, context.params.organization.id]
  );
  return result.rows[0];
};

Third, implement middleware that revalidates headers and normalizes paths to prevent smuggling attempts from affecting routing. In Feathersjs, custom hooks can reject suspicious patterns:

app.hooks({
  before: {
    all: [context => {
      const { headers } = context;
      // Reject malformed encodings
      if (headers['x-forwarded-proto'] && !['http', 'https'].includes(headers['x-forwarded-proto'])) {
        throw new Error('Invalid protocol');
      }
      // Ensure consistent host handling
      context.params.host = new URL(context.path || '/', 'http://localhost').host;
      return context;
    }]
  }
});

Finally, use middleBrick to scan your Feathersjs endpoints regularly. Its unauthenticated checks can surface inconsistencies in header handling and input validation that could enable smuggling. With the Pro plan, you can enable continuous monitoring to detect regressions early, and the GitHub Action can fail builds if a new endpoint introduces risky parsing behavior.