SQL injection from AWS Lambda event data in Node pg query

Critical Risk sql-injection
javascriptnodejsaws-lambdapgpostgresqlsql-injection

What it is

SQL injection vulnerability where untrusted AWS Lambda event fields are concatenated into SQL strings sent to pg without parameters or proper escaping, potentially allowing attackers to alter or read database data, execute arbitrary SQL, escalate privileges, or exfiltrate sensitive information.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

AWS Lambda event fields are directly concatenated into SQL query strings without parameterization.

Root causes

String Concatenation with Event Data

AWS Lambda event fields are directly concatenated into SQL query strings without parameterization.

Missing Parameter Binding

Failing to use node-postgres parameterized queries with proper placeholder values.

Fixes

1

Use Parameterized Queries with Placeholders

Always use parameterized queries with $1, $2 placeholders and pass values separately to pg client.query().

View implementation 
client.query('SELECT * FROM users WHERE id = $1', [event.pathParameters.userId])
2

Validate and Type-Check Event Fields

Implement strict validation for all Lambda event fields before using them in database queries.

View implementation 
Validate that IDs are integers, email addresses match expected patterns, etc.
3

Use Prepared Statements for Repeated Queries

For queries that execute multiple times, use prepared statements for better performance and security.

View implementation 
const statement = await client.prepare('SELECT * FROM users WHERE id = $1'); await statement.execute([userId]);

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from aws lambda event data in node pg query and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities