Unsanitized user input in DynamoDB query
- Rule ID: javascript_third_parties_dynamodb_query_injection
- Languages: javascript
- Source: dynamodb_query_injection.yml
Description
Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.
Remediations
- Do narrow down your query from the code instead of using unsanitzed user input to define it.
exports.handler = async function(event, context) {
var params = {
Key: {
"artist": {"S": event.input },
"song": {"S": "Carrot Eton"}
},
TableName: "artists"
};
var result = await dynamodb.getItem(params).promise()
console.log(JSON.stringify(result))
}
References
Associated CWE
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_third_parties_dynamodb_query_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_third_parties_dynamodb_query_injection