Raw user input in data store query detected.

Description

Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.

Remediations

Narrow down your query from the code instead of using unsanitzed user input to define it.

Example:

exports.handler = async function(event, context) {
var params = {
Key: {
"artist": {"S": event.input },
"song": {"S": "Carrot Eton"}
},
TableName: "artists"
};
var result = await dynamodb.getItem(params).promise()
console.log(JSON.stringify(result))
}

Resources

Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.