Unsanitized user input in DynamoDB query

Overview

Rule ID: javascript_third_parties_dynamodb_query_injection
Applicable Languages: Javascript
Weakness ID: CWE-201

Description

Including unsanitized data, such as user input or request data, in raw queries exposes your application to injection attacks.

Remediation Guidelines

Limit your query parameters within the code instead of using unsanitized user input to define them.

 exports.handler = async function(event, context) {
    var params = {
        Key: {
        "artist": {"S": event.input },
        "song": {"S": "Carrot Eton"}
        },
        TableName: "artists"
      };
    var result = await dynamodb.getItem(params).promise()
    console.log(JSON.stringify(result))
  }

References

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUnsanitized user input in dynamic HTML insertion (XSS)NextUnsanitized User Input in File Path Traversal

Last updated 1 year ago