Added test cases for v2 and v3 sql injection of dynamodb

2025-12-16 16:53:25 +01:00 · 2025-07-28 17:35:29 +02:00
parent a7173e0c05
commit 0a3343a07d
1 changed files with 73 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js
@@ -0,0 +1,73 @@
+import {DynamoDBClient, ExecuteStatementCommand, BatchExecuteStatementCommand, DynamoDB} from "@aws-sdk/client-dynamodb";
+const express = require('express');
+
+const app = express();
+const region = 'us-east-1';
+
+app.post('/partiql/v3/execute', async (req, res) => {
+    const client = new DynamoDBClient({});
+    let maliciousInput = req.body.data; // $ MISSING: Source
+
+    const statement = `SELECT * FROM Users WHERE username = '${maliciousInput}'`;
+    const command = new ExecuteStatementCommand({
+        Statement: statement
+    });
+    await client.send(command); // $ MISSING: Alert
+
+    const updateStatement = "UPDATE Users SET status = 'active' WHERE id = " + maliciousInput;
+    const updateCommand = new ExecuteStatementCommand({
+        Statement: updateStatement
+    });
+    await client.send(updateCommand); // $ MISSING: Alert
+
+
+    const batchInput = {
+        Statements: [{
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            },
+            {
+                Statement: "UPDATE Users SET role = 'user' WHERE username = bob"
+            }
+        ]
+    };
+
+    const batchCommand = new BatchExecuteStatementCommand(batchInput);
+    await client.send(batchCommand); // $ MISSING: Alert
+
+    const batchInput2 = {
+        Statements: maliciousInput.map(input => ({
+            Statement: `SELECT * FROM SensitiveData WHERE username = '${input}'`
+        }))
+    };
+
+    const batchCommand2 = new BatchExecuteStatementCommand(batchInput2);
+    await client.send(batchCommand2); // $ MISSING: Alert
+
+    const client2 = new DynamoDB({});
+    await client2.send(command); // $ MISSING: Alert
+    await client2.send(batchCommand); // $ MISSING: Alert
+});
+
+app.post('/partiql/v2/execute', async (req, res) => {
+    const AWS = require('aws-sdk');
+    const dynamodb = new AWS.DynamoDB({
+        region: 'us-east-1'
+    });
+    let maliciousInput = req.body.data; // $ MISSING: Source
+    const params = {
+        Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+    };
+
+    dynamodb.executeStatement(params, function(err, data) {});  // $ MISSING: Alert
+    const params2 = {
+        Statements: [{
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            },
+            {
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            }
+        ]
+    };
+
+    dynamodb.batchExecuteStatement(params2, function(err, data) {});  // $ MISSING: Alert
+});