String Interpolation in Sequel Queries
Event fields are directly interpolated into Sequel SQL strings without using dataset APIs or parameter binding.
SQL injection from AWS Lambda event data in Sequel query
Critical Risk
sql-injection
rubyaws-lambdasequelormsql-injection
What it is
SQL injection vulnerability where user-controlled event fields are interpolated into SQL strings in Sequel without parameters, potentially allowing attackers to exfiltrate data, modify tables, or run dangerous database commands with the application's database privileges through crafted input that alters the query.
âšī¸ Configuration Fix
Configuration changes required - see explanation below.
đĄ Explanation
âšī¸ Configuration Fix
Configuration changes required - see explanation below.
đĄ Explanation
Why it happens
Event fields are directly interpolated into Sequel SQL strings without using dataset APIs or parameter binding.
Root causes
Fixes
Detect This Vulnerability in Your Code
Sourcery automatically identifies sql injection from aws lambda event data in sequel query and many other security issues in your codebase.