Unsanitized user input in AWS query

• Rule ID: java_third_parties_aws_query_injection
• Languages: java
• Source: aws_query_injection.yml

Description

Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.

Remediations

• Do always sanitize user input especially if it is to be used in database queries. Where possible, such sanitization should include the removal of special characters (like ' or ") that could be used to alter the semantics of a database query.
• Do validate user input wherever possible, to ensure it is the expected format and length
• Do use parameterized queries rather than concatenating user input directly into the query string. This separates query logic from user input, which is good practice, and also in the case of AWS SimpleDB, lets us take advantage of the internal parameterization and sanitization of SelectRequest.

    // query logic
    public static SelectResult executeQuery(String query, String itemName) {
      AmazonSimpleDB simpleDBClient = AmazonSimpleDBClientBuilder.defaultClient();
      SelectRequest selectRequest = new SelectRequest(query, true).withNextToken(itemName);
  
      return simpleDBClient.select(selectRequest);
    }
  
    public static void selectItem(String itemName) { // itemName is dynamic and could be malicious
      // parameterized query string
      String query = "select * from items where itemName = ?";
  
      SelectResult result = executeQuery(query, itemName);
      ...
    }

References

• AWS SimpleDB docs

Associated CWE

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_third_parties_aws_query_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_third_parties_aws_query_injection