dynamo-injections

Try in Playground
python-boto3SecurityError

0

No tags

CWE-20

In DynamoDB, FilterExpression, ProjectionExpression or KeyConditionExpression should not have user-controlled data. That may lead to SQL injection.

Ast Rule: function call


dynamo-injections

How to write a rule
function visit(node, filename, code) {

  if (node.functionName && node.functionName.value === "scan") {

    // make sure we use boto3
    if (!useModule(node.context.imports, "boto3")) {
      return;
    }
    // get the client variable
    const clientVariable = findVariableFromFunctionCall(node.context.assignments, "boto3", "client");

    // check if the value contains a user-controlled data
    if (node.arguments && node.arguments.values) {
      const filterExpressions = node.arguments.values.filter(v => v.name && v.name.value === "FilterExpression");

      if (filterExpressions.length > 0) {
        const fe = filterExpressions[0];
        printObject(fe);
        if (fe.value.value.includes("+")) {
          const error = buildError(fe.start.line, fe.start.col,
            fe.end.line, fe.end.col,
            "String concanetation that may lead to SQL injection", "CRITICAL", "SECURITY");

          addError(error);
        }
      }
    }

  }
}

failure.py

Expected test result: has error

import boto3

DYNAMO_CLIENT = boto3.client('dynamodb', config=config)

DYNAMO_CLIENT.scan(
    FilterExpression= username + " = :u AND password = :p", # username is user-controlled
    ExpressionAttributeValues={
        ":u": { 'S': username },
        ":p": { 'S': password }
     },
    ProjectionExpression="username, password",
    TableName="users"
) # Noncompliant

no-boto3-use.py

Expected test result: no error

DYNAMO_CLIENT = boto3.client('dynamodb', config=config)

DYNAMO_CLIENT.scan(
    FilterExpression= username + " = :u AND password = :p", # username is user-controlled
    ExpressionAttributeValues={
        ":u": { 'S': username },
        ":p": { 'S': password }
     },
    ProjectionExpression="username, password",
    TableName="users"
) # Noncompliant
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Playground
  • Snippets
  • Cookbooks
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.