# Unsanitized user input in DynamoDB query

## Overview

* **Rule ID**: `javascript_third_parties_dynamodb_query_injection`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-201

## Description

Including unsanitized data, such as user input or request data, in raw queries exposes your application to injection attacks.

## Remediation Guidelines

* Limit your query parameters within the code instead of using unsanitized user input to define them.

  ```javascript
   exports.handler = async function(event, context) {
      var params = {
          Key: {
          "artist": {"S": event.input },
          "song": {"S": "Carrot Eton"}
          },
          TableName: "artists"
        };
      var result = await dynamodb.getItem(params).promise()
      console.log(JSON.stringify(result))
    }
  ```

## References

* [**OWASP nosql injection explained**](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
* [**CWE-943: Improper Neutralization of Special Elements in Data Query Logic**](https://cwe.mitre.org/data/definitions/943.html)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)