Event Field String Concatenation
Lambda event fields are directly concatenated or formatted into SQL query strings using fmt.Sprintf or string concatenation.
SQL injection from Lambda event data in database/sql query in AWS Lambda
Critical Risk
sql-injection
gogolangaws-lambdadatabase-sqlsql-injection
What it is
SQL injection vulnerability where fields from the Lambda event are concatenated into SQL strings instead of using parameters, potentially allowing attackers to read, modify, or delete data, escalate privileges, and run unintended queries against the database by altering the query structure through attacker-controlled input.
package main
import (
"context"
"database/sql"
"fmt"
"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
_ "github.com/lib/pq"
)
func handleRequest(ctx context.Context, request events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {
db, _ := sql.Open("postgres", connectionString)
defer db.Close()
userID := request.PathParameters["userId"]
search := request.QueryStringParameters["search"]
status := request.QueryStringParameters["status"]
// VULNERABLE: fmt.Sprintf with path parameter
query := fmt.Sprintf("SELECT * FROM users WHERE id = '%s'", userID)
db.QueryContext(ctx, query)
// VULNERABLE: fmt.Sprintf with query parameters
searchQuery := fmt.Sprintf(
"SELECT * FROM users WHERE name LIKE '%%%s%%' AND status = '%s'",
search, status,
)
db.QueryContext(ctx, searchQuery)
return events.APIGatewayProxyResponse{StatusCode: 200}, nil
}
func main() {
lambda.Start(handleRequest)
}package main
import (
"context"
"database/sql"
"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
_ "github.com/lib/pq"
)
func handleRequest(ctx context.Context, request events.APIGatewayProxyRequest) (events.APIGatewayProxyResponse, error) {
db, _ := sql.Open("postgres", connectionString)
defer db.Close()
userID := request.PathParameters["userId"]
search := request.QueryStringParameters["search"]
status := request.QueryStringParameters["status"]
// SECURE: $1 placeholder
db.QueryContext(ctx, "SELECT * FROM users WHERE id = $1", userID)
// SECURE: $1, $2 placeholders
db.QueryContext(
ctx,
"SELECT * FROM users WHERE name LIKE $1 AND status = $2",
"%"+search+"%", status,
)
return events.APIGatewayProxyResponse{StatusCode: 200}, nil
}
func main() {
lambda.Start(handleRequest)
}💡 Why This Fix Works
The vulnerable code uses fmt.Sprintf to build SQL queries with Lambda event data, allowing SQL injection attacks. The fixed version uses parameterized queries with $1, $2 placeholders to safely bind all user-controlled values.
Why it happens
Lambda event fields are directly concatenated or formatted into SQL query strings using fmt.Sprintf or string concatenation.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies sql injection from lambda event data in database/sql query in aws lambda and many other security issues in your codebase.