dynamodb_query_injection.yml

imports:
  - javascript_shared_common_user_input
patterns:
  - pattern: | # AWS SDK V3 DynamoDB
      new QueryCommand($<QUERY>)
    filters:
      - variable: QUERY
        detection: javascript_third_parties_dynamodb_query_injection_raw_user_input
        scope: result
  - pattern: | # AWS SDK V2 DynamoDB
      $<DYNAMODB_INIT>.query($<QUERY>, $<_>)
    filters:
      - variable: QUERY
        detection: javascript_third_parties_dynamodb_query_injection_raw_user_input
        scope: result
      - variable: DYNAMODB_INIT
        detection: javascript_third_parties_dynamodb_query_injection_dynamodb_v2_init
        scope: cursor
auxiliary:
  - id: javascript_third_parties_dynamodb_query_injection_hash
    patterns:
      - |
        {$<...>}
  - id: javascript_third_parties_dynamodb_query_injection_dynamodb_v2_init
    patterns:
      - new AWS.DynamoDB.DocumentClient()
  - id: javascript_third_parties_dynamodb_query_injection_raw_user_input
    patterns:
      - pattern: $<USER_INPUT>
        filters:
          - variable: USER_INPUT
            detection: javascript_shared_common_user_input
            scope: cursor
          - not:
              variable: USER_INPUT
              detection: javascript_third_parties_dynamodb_query_injection_hash
languages:
  - javascript
severity: critical
metadata:
  description: "Unsanitized user input in DynamoDB query"
  remediation_message: |
    ## Description

    Including unsanitized data, such as user input or request data, in raw queries makes your application vulnerable to injection attacks.

    ## Remediations

    - **Do** narrow down your query from the code instead of using unsanitzed user input to define it.
      ```javascript
      exports.handler = async function(event, context) {
          var params = {
              Key: {
              "artist": {"S": event.input },
              "song": {"S": "Carrot Eton"}
              },
              TableName: "artists"
          };
          var result = await dynamodb.getItem(params).promise()
          console.log(JSON.stringify(result))
      }
      ```

    ## References

    - [OWASP nosql injection explained](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection)

  cwe_id:
    - 943
  id: "javascript_third_parties_dynamodb_query_injection"
  documentation_url: https://docs.bearer.com/reference/rules/javascript_third_parties_dynamodb_query_injection
  cloud_code_suggestions: true