Skip to content

API Panic Vulnerabilities via unwrap() Misuse #329

New issue
New issue
Closed
Task
#347
Closed
API Panic Vulnerabilities via unwrap() Misuse#329
Task
#347
Labels
security_improvementSecurity improvement potential
@gtema

Description

@gtema
gtema
opened on Nov 4, 2025

VULNERABLE PATTERNS:

// VULNERABLE: Direct unwrap() without validation
let token = request.headers().get("X-Auth-Token").unwrap(); // Panics if missing
let user_id = json["user"]["id"].as_str().unwrap(); // Panics if malformed
let parts: Vec<&str> = path.split('/').collect();
let resource_id = parts[3].parse::<i32>().unwrap(); // Panics on invalid input

ATTACK VECTOR:

  • Send API requests without required headers (missing X-Auth-Token)
  • Submit malformed JSON with missing required fields
  • Provide non-numeric values where integers expected
  • Trigger service panic and crash
  • Repeated attacks cause service unavailability

IMPACT:

  • Service crash and restart (DoS)
  • Partial or complete service unavailability
  • Thread panic potentially taking down entire runtime
  • Error messages may leak internal structure
  • Loss of in-flight requests

REMEDIATION:

// SECURE: Proper error handling with Result and Option
use actix_web::{HttpRequest, HttpResponse, Error};

fn extract_token(req: &HttpRequest) -> Result<&str, Error> {
    req.headers()
        .get("X-Auth-Token")
        .ok_or_else(|| ErrorUnauthorized("Missing authentication token"))?
        .to_str()
        .map_err(|_| ErrorBadRequest("Invalid token format"))
}

fn parse_user_id(json: &serde_json::Value) -> Result<&str, Error> {
    json["user"]["id"]
        .as_str()
        .ok_or_else(|| ErrorBadRequest("Invalid user format"))
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    security_improvementSecurity improvement potential

    Type

    Task

    Projects

    Keystone

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions