Unsanitized user input in DynamoDB query

Overview

• Rule ID: javascript_third_parties_dynamodb_query_injection

• Applicable Languages: Javascript

• Weakness ID: CWE-201

Description

Including unsanitized data, such as user input or request data, in raw queries exposes your application to injection attacks.

Remediation Guidelines

• Limit your query parameters within the code instead of using unsanitized user input to define them.

  Copy

   exports.handler = async function(event, context) {
      var params = {
          Key: {
          "artist": {"S": event.input },
          "song": {"S": "Carrot Eton"}
          },
          TableName: "artists"
        };
      var result = await dynamodb.getItem(params).promise()
      console.log(JSON.stringify(result))
    }

References

• OWASP nosql injection explained

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL