SQL injection from AWS Lambda event data in SQL string

Critical Risk sql-injection
pythonaws-lambdasqlinjectionserverlesstainted-input

What it is

SQL injection vulnerability where user-controlled Lambda event fields are concatenated into SQL strings without parameters or proper validation, potentially allowing attackers to read, modify, or delete database data and exfiltrate sensitive information.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly inserted into SQL queries without parameterization.

Root causes

Direct Event Field Concatenation

Lambda event fields are directly inserted into SQL queries without parameterization.

Generic Database Driver Usage

Using various Python database drivers without proper parameter binding.

Fixes

1

Use Parameterized Queries

Use your database driver's parameter binding mechanism.

View implementation 
cursor.execute('SELECT * FROM users WHERE id=%s', (user_id,))
2

Use an ORM

Use SQLAlchemy, Django ORM, or similar to build queries safely.

View implementation 
User.query.filter_by(id=user_id).first()
3

Validate and Sanitize Input

Validate all Lambda event data before use in queries.

View implementation 
Cast IDs to integers, validate against allowlists, sanitize strings

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from aws lambda event data in sql string and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities