SQL injection from AWS Lambda event data in mysql2 query

Critical Risk sql-injection
rubyaws-lambdamysql2mysqlsql-injection

What it is

SQL injection vulnerability where untrusted event fields are concatenated into SQL strings and sent to mysql2 without parameters or proper escaping, potentially allowing attackers to alter queries to exfiltrate data, change records, bypass authorization, or run destructive database commands.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly interpolated into SQL strings using Ruby string interpolation or concatenation.

Root causes

Event Field String Interpolation

Lambda event fields are directly interpolated into SQL strings using Ruby string interpolation or concatenation.

Missing mysql2 Prepared Statements

Failing to use mysql2 prepared statements and parameter binding for dynamic queries.

Fixes

1

Use mysql2 Prepared Statements

Replace string interpolation with mysql2 prepared statements using client.prepare() and execute().

View implementation 
stmt = client.prepare('SELECT * FROM users WHERE id = ?'); stmt.execute(user_id)
2

Apply mysql2 Parameter Binding

Use mysql2's parameter binding capabilities to safely handle dynamic values.

View implementation 
client.query('SELECT * FROM users WHERE name = ?', [user_name])
3

Validate Event Input

Implement comprehensive validation for all Lambda event fields before database operations.

View implementation 
Validate data types, check formats, enforce length limits, and use allow-lists

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from aws lambda event data in mysql2 query and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities