Ssrf in Axum with Cockroachdb

Server-Side Request Forgery (SSRF) in an Axum service that uses CockroachDB can occur when user-supplied data is used to influence outbound HTTP requests or internal service discovery that reaches the database layer. Axum is a Rust web framework that encourages composing handlers with middleware and typed routing. When an endpoint accepts a URL or host parameter and uses it to make an HTTP call—such as fetching a remote schema, validating a resource, or calling another internal service—SSRF arises if an attacker can direct those requests to internal endpoints, including the CockroachDB HTTP status or admin endpoints, or to sensitive metadata services.

In a typical Axum + Cockroachdb setup, developers might use an HTTP client like reqwest to call an external configuration service or to validate connectivity. If the target URL is derived from user input without strict allowlisting, an attacker can supply an internal address such as http://localhost:8080/_status/vars (CockroachDB debug endpoints) or the Cloud Metadata Service at http://169.254.169.254. Successful exploitation can reveal cluster internals, configuration, or provide a pivot to exfiltrate data through the database layer. middleBrick detects SSRF by tracing unvalidated inputs that reach network calls and by correlating runtime behavior with OpenAPI specs and database references.

Because CockroachDB often exposes HTTP administrative endpoints for monitoring and diagnostics, an SSRF vulnerability can become a database reconnaissance vector. For example, if Axum dynamically constructs a request to a service discovery endpoint that returns CockroachDB node addresses, an attacker may force the application to enumerate internal nodes via the /_status/nodes endpoint. middleBrick’s 12 parallel checks include SSRF alongside Input Validation and Property Authorization to highlight such risky input flows and provide remediation guidance that emphasizes strict URL allowlists and network segmentation.

Remediation centers on preventing untrusted input from influencing network destinations and ensuring database credentials remain isolated. In Axum, prefer static configuration for database connections and avoid building connection strings or HTTP targets from request parameters. When external calls are necessary, validate and sanitize inputs rigorously and use an allowlist approach.

Example: a vulnerable Axum handler that accepts a url query parameter and performs an HTTP GET:

// Vulnerable pattern — do not use
async fn fetch_data(query: Query<FetchQuery>) -> Result<impl IntoResponse, (StatusCode, String)> {
    let client = reqwest::Client::new();
    let resp = client.get(&query.url).send().await.map_err(|e| (StatusCode::BAD_GATEWAY, e.to_string()))?;
    let text = resp.text().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
    Ok(text)
}

An attacker can supply url=http://localhost:8080/_status/vars to probe Cockroachdb internals. A safe refactor uses a static, environment-provided base URL and path validation:

// Safe pattern — allowlist known paths only
async fn fetch_data(
    query: Query<FetchQuery>,
    State(client): State<Arc<reqwest::Client>>,
) -> Result<impl IntoResponse, (StatusCode, String)> {
    const ALLOWED_PATHS: &[&str] = "/api/config", "/api/version";
    let base = std::env::var("EXTERNAL_BASE_URL").expect("EXTERNAL_BASE_URL must be set");
    let path = query.path.trim_start_matches('/');
    if !ALLOWED_PATHS.contains(&path) {
        return Err((StatusCode::BAD_REQUEST, "invalid path".into()));
    }
    let url = format!("{}/{}", base, path);
    let resp = client.get(&url).send().await.map_err(|e| (StatusCode::BAD_GATEWAY, e.to_string()))?;
    let text = resp.text().await.map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
    Ok(text)
}

For Cockroachdb connectivity, configure the database client once at startup using a fixed connection string sourced from environment variables or a secure configuration store, rather than constructing it from request data:

// Establish a single Cockroachdb client safely
use cockroachdb_rs::Client;

async fn build_db_client() -> Result<Client, Box<dyn std::error::Error>> {
    let database_url = std::env::var("COCKROACH_URL")?; // e.g., postgresql://user:pass@host:26257/db?sslmode=require
    let client = Client::new(&database_url).await?;
    Ok(client)
}

Ensure that the application does not expose database diagnostics endpoints through Axum routes and that any outbound HTTP client enforces network policies that prevent connections to internal metadata services. middleBrick’s scans will surface SSRF risks tied to specific endpoints and provide prioritized remediation steps aligned with OWASP API Top 10 and common compliance frameworks.