SQL injection from event data in SQL string in AWS Lambda

Critical Risk sql-injection
javascriptnodejsaws-lambdasql-injectiondynamic-sql

What it is

SQL injection vulnerability where the Lambda handler builds SQL by concatenating user-controlled event fields, potentially allowing attackers to read or change database records, run unauthorized queries, or escalate privileges using crafted input that reaches dynamic SQL.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly concatenated or interpolated into SQL strings without parameterization.

Root causes

Event Field String Concatenation

Lambda event fields are directly concatenated or interpolated into SQL strings without parameterization.

Missing Input Validation

Failing to validate or sanitize event data before incorporating it into SQL queries.

Fixes

1

Use Parameterized Queries with Placeholders

Replace string concatenation with database-specific parameterized queries using placeholders.

View implementation 
For pg: query('SELECT * WHERE id=$1', [id]); For mysql2: execute('... WHERE id = ?', [id])
2

Consider Knex or Sequelize

Use query builders that enforce parameterization by default and provide safer APIs.

View implementation 
knex('users').where('id', userId) or User.findOne({ where: { id: userId } })
3

Validate All Event Input

Implement comprehensive validation for all Lambda event fields before using in queries.

View implementation 
Check data types, formats, ranges, and use allow-lists for expected values

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from event data in sql string in aws lambda and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities