Use of user-provided input that is not properly sanitized can lead to injection attacks. Injection of JSON code into an application can enable injection attacks against a NoSQL database.
1import * as AWS from 'aws-sdk'
2import express, {Request, Response} from 'express'
3var app = express()
4function noSqlInjectionNoncompliant() {
5 app.get('/api/getallusers', function(req: Request, res: Response) {
6 var docClient = new AWS.DynamoDB.DocumentClient({region: "us-east-1"});
7 var params= req.body.params
8 // Noncompliant: external user input can be vulnerable to injection attacks.
9 docClient.scan(params, function(err: any, data: { Items: any[]; }) {
10 if (err) {
11 console.log("Error", err)
12 } else {
13 data.Items.forEach(function(element: { Title: { S: string; }; Subtitle: { S: string; }; }, index: any, array: any) {
14 console.log(element.Title.S + " (" + element.Subtitle.S + ")")
15 })
16 }
17 })
18 })
19}
1import * as AWS from 'aws-sdk'
2import express, {Request, Response} from 'express'
3var app = express()
4function noSqlInjectionCompliant() {
5 app.get('/api/getallusers', function (req: Request, res: Response) {
6 var docClient = new AWS.DynamoDB.DocumentClient({region: "us-east-1"});
7 var params = {
8 TableName: "dynamodb-example-node",
9 ProjectionExpression: "user_id, username, user_age",
10 }
11 // Compliant: should not use external input in `scan` API.
12 docClient.scan(params, function (err: any, data: { Items: any; }) {
13 if (err) {
14 console.log(err)
15 } else {
16 res.status(200).json({ "status": 1, "message": "user exists", "data": data.Items })
17 }
18 })
19 })
20}