Raw user input in data store query detected.

Rule ID: javascript_third_parties_dynamodb_query_injection
Languages: javascript
Source: dynamodb_query_injection.yml

Description

Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.

Remediations

Narrow down your query from the code instead of using unsanitzed user input to define it.

Example:

exports.handler = async function(event, context) {
    var params = {
        Key: {
         "artist": {"S": event.input },
         "song": {"S": "Carrot Eton"}
        },
        TableName: "artists"
    };
    var result = await dynamodb.getItem(params).promise()
    console.log(JSON.stringify(result))
}

Resources

OWASP nosql injection explained

Associated CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_third_parties_dynamodb_query_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_third_parties_dynamodb_query_injection

Ready to take the next step? Learn more about Bearer Cloud.