SQL injection from AWS Lambda event data in SQL string with SQLAlchemy

Critical Risk sql-injection
pythonaws-lambdasqlalchemysqlinjectionserverless

What it is

SQL injection vulnerability where event-derived values are concatenated or formatted into SQL strings passed to SQLAlchemy's execute() without parameter binding, allowing untrusted input to alter queries and potentially read, modify, or delete database data.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Using SQLAlchemy's execute() with raw SQL strings built from Lambda event data.

Root causes

Raw SQL with String Formatting

Using SQLAlchemy's execute() with raw SQL strings built from Lambda event data.

Bypassing ORM Safety

Using raw SQL execution instead of SQLAlchemy's safe ORM query methods.

Fixes

1

Use Bound Parameters with text()

Use SQLAlchemy's text() with named parameters for raw SQL queries.

View implementation 
connection.execute(text('SELECT * FROM users WHERE id = :id'), {'id': user_id})
2

Use SQLAlchemy ORM

Prefer SQLAlchemy's ORM query methods which handle parameterization automatically.

View implementation 
session.query(User).filter(User.id == user_id).all()
3

Use Expression Language

Use SQLAlchemy's expression language for dynamic query building.

View implementation 
select([users]).where(users.c.id == user_id)

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from aws lambda event data in sql string with sqlalchemy and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities