Unsanitized user input in AWS query

• Rule ID: python_third_parties_aws_query_injection
• Languages: python
• Source: aws_query_injection.yml

Description

Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.

Remediations

• Do always sanitize user input especially if it is to be used in database queries. Where possible, such sanitization should include the removal of special characters (like ' or ") that could be used to alter the semantics of a database query.
• Do validate user input wherever possible, to ensure it is the expected format and length
• Do use parameterized queries rather than concatenating user input directly into a query string. This separates query logic from user input, which is good practice. With DynamoDB, for example, you can make use of ExpressionAttributeNames and ExpressionAttributeValues parameters for this separation:

    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table('users')
    
    table.update_item(
      Key={
          'username': 'johndoe',
          'last_name': 'Doe'
      },
      UpdateExpression='SET age = :val1',
      ExpressionAttributeValues={
          ':val1': 42
      }
    )

References

• AWS DynamoDB docs
• AWS SimpleDB docs

Associated CWE

• CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_third_parties_aws_query_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_third_parties_aws_query_injection