Raw user input in data store query detected.
- Rule ID: javascript_third_parties_dynamodb_query_injection
- Languages: javascript
- Source: dynamodb_query_injection.yml
Description
Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.
Remediations
Narrow down your query from the code instead of using unsanitzed user input to define it.
Example:
exports.handler = async function(event, context) {
var params = {
Key: {
"artist": {"S": event.input },
"song": {"S": "Carrot Eton"}
},
TableName: "artists"
};
var result = await dynamodb.getItem(params).promise()
console.log(JSON.stringify(result))
}
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_third_parties_dynamodb_query_injection
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_third_parties_dynamodb_query_injection
Ready to take the next step? Learn more about Bearer Cloud.