HIGH zip slipfibercockroachdb

Zip Slip in Fiber with Cockroachdb

Q: Can the middleBrick CLI scan a Fiber API that interacts with Cockroachdb?

Yes. Use the CLI tool by running middlebrick scan <url> against your Fiber API endpoint. The scan operates without agents or credentials and produces structured output to integrate into development workflows; the Dashboard and GitHub Action can further track and gate changes.

Zip Slip in Fiber with Cockroachdb — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability where an attacker crafts a malicious archive containing files with path sequences like ../../../etc/passwd, causing extraction outside the intended directory. In a Fiber application that interacts with Cockroachdb, the risk emerges not from Cockroachdb itself, which is a distributed SQL database, but from how file uploads or archive processing are implemented in the server layer before data is stored or queried.

When a Fiber app accepts file uploads and uses unchecked user input to determine extraction paths—such as a request parameter indicating where to store or reference a file—malicious paths can traverse directories. If the compromised file writes to a location that affects database operations (for example, a configuration or script that later runs SQL against Cockroachdb), the impact can extend to data integrity or exposure. Because middleBrick scans the unauthenticated attack surface, it can detect whether the API endpoints accepting file paths or archive uploads lack proper path validation, even if Cockroachdb is used downstream.

The combination of Fiber routing, file handling, and Cockroachdb usage amplifies the need for strict input validation. An endpoint that receives a filename, constructs a filesystem path, and then interacts with Cockroachdb using that path without normalization or allowlisting can be exploited. middleBrick’s checks for Input Validation and Property Authorization help identify whether path traversal is possible in the API surface that interfaces with Cockroachdb, ensuring that user-controlled data never dictates filesystem or query behavior.

Cockroachdb-Specific Remediation in Fiber — concrete code fixes

To remediate Zip Slip in a Fiber application that uses Cockroachdb, enforce strict path validation and avoid direct concatenation of user input into filesystem or SQL logic. Use Go’s path/filepath utilities to clean and restrict paths, and ensure database interactions use parameterized queries to avoid injection or misuse of derived paths.

Secure file path handling in Fiber

package main

import (
    "io/fs"
    "net/http"
    "path/filepath"

    "github.com/gofiber/fiber/v2"
)

func uploadHandler(baseDir string) fiber.Handler {
    return func(c *fiber.Ctx) error {
        // Get user-supplied target path (e.g., from form field)
        target := c.FormValue("path")
        if target == "" {
            return c.Status(http.StatusBadRequest).SendString("missing path")
        }

        // Clean and restrict to baseDir only
        cleaned := filepath.Clean(target)
        // Ensure no traversal beyond baseDir
        finalPath := filepath.Join(baseDir, cleaned)
        if !isSubpath(baseDir, finalPath) {
            return c.Status(http.StatusForbidden).SendString("invalid path")
        }

        // Proceed to store file at finalPath and interact with Cockroachdb as needed
        // Example: save file and record metadata in Cockroachdb using parameterized queries
        return c.SendStatus(http.StatusOK)
    }
}

func isSubdir(base, target string) bool {
    rel, err := filepath.Rel(base, target)
    if err != nil {
        return false
    }
    return !isDot(rel)
}

func isDot(s string) bool {
    return s == "." || len(s) >= 2 && s[0] == '.' && (s[1] == '/' || s[1] == '\' || s[1] == os.PathSeparator)
}

Cockroachdb interaction with parameterized queries

When storing or retrieving data related to file metadata, always use parameterized statements to avoid SQL injection and ensure that paths are treated as data, not executable code.

package main

import (
    "context"
    "log"

    "github.com/jackc/pgx/v5/pgxpool"
)

func storeFileMetadata(pool *pgxpool.Pool, userID string, filePath string) error {
    ctx := context.Background()
    // Use parameterized query: path is passed as a parameter, not interpolated
    _, err := pool.Exec(ctx, "INSERT INTO file_metadata (user_id, file_path) VALUES ($1, $2)", userID, filePath)
    if err != nil {
        log.Printf("failed to insert metadata: %v", err)
        return err
    }
    return nil
}

func getFileMetadata(pool *pgxpool.Pool, userID string) (string, error) {
    ctx := context.Background()
    var filePath string
    // Fetch using placeholders to avoid path-based injection
    err := pool.QueryRow(ctx, "SELECT file_path FROM file_metadata WHERE user_id = $1", userID).Scan(&filePath)
    if err != nil {
        return "", err
    }
    return filePath, nil
}

By combining strict path cleaning with parameterized database interactions, a Fiber service using Cockroachdb can neutralize Zip Slip risks while maintaining reliable data storage and retrieval.

Frequently Asked Questions

Does middleBrick test for Zip Slip in APIs that use Cockroachdb?

Yes. middleBrick runs Input Validation checks that detect path traversal risks in endpoints that handle file paths or archives, regardless of the downstream database such as Cockroachdb. Findings include severity and remediation guidance.

Can the middleBrick CLI scan a Fiber API that interacts with Cockroachdb?

Yes. Use the CLI tool by running middlebrick scan <url> against your Fiber API endpoint. The scan operates without agents or credentials and produces structured output to integrate into development workflows; the Dashboard and GitHub Action can further track and gate changes.