/
dynamodb_query_injection.yml
72 lines (66 loc) · 2.48 KB
/
dynamodb_query_injection.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
imports:
- javascript_shared_common_user_input
patterns:
- pattern: | # AWS SDK V3 DynamoDB
new QueryCommand($<QUERY>)
filters:
- variable: QUERY
detection: javascript_third_parties_dynamodb_query_injection_raw_user_input
scope: result
- pattern: | # AWS SDK V2 DynamoDB
$<DYNAMODB_INIT>.query($<QUERY>, $<_>)
filters:
- variable: QUERY
detection: javascript_third_parties_dynamodb_query_injection_raw_user_input
scope: result
- variable: DYNAMODB_INIT
detection: javascript_third_parties_dynamodb_query_injection_dynamodb_v2_init
scope: cursor
auxiliary:
- id: javascript_third_parties_dynamodb_query_injection_hash
patterns:
- |
{$<...>}
- id: javascript_third_parties_dynamodb_query_injection_dynamodb_v2_init
patterns:
- new AWS.DynamoDB.DocumentClient()
- id: javascript_third_parties_dynamodb_query_injection_raw_user_input
patterns:
- pattern: $<USER_INPUT>
filters:
- variable: USER_INPUT
detection: javascript_shared_common_user_input
scope: cursor
- not:
variable: USER_INPUT
detection: javascript_third_parties_dynamodb_query_injection_hash
languages:
- javascript
severity: critical
metadata:
description: "Unsanitized user input in DynamoDB query"
remediation_message: |
## Description
Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.
## Remediations
- **Do** narrow down your query from the code instead of using unsanitzed user input to define it.
```javascript
exports.handler = async function(event, context) {
var params = {
Key: {
"artist": {"S": event.input },
"song": {"S": "Carrot Eton"}
},
TableName: "artists"
};
var result = await dynamodb.getItem(params).promise()
console.log(JSON.stringify(result))
}
```
## References
- [OWASP nosql injection explained](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)
cwe_id:
- 943
id: "javascript_third_parties_dynamodb_query_injection"
documentation_url: https://docs.bearer.com/reference/rules/javascript_third_parties_dynamodb_query_injection
cloud_code_suggestions: true