From 0a3343a07d78bb1c3e5d1cbf2ee01b633247da92 Mon Sep 17 00:00:00 2001
From: Napalys Klicius <napalys@github.com>
Date: Mon, 28 Jul 2025 17:35:29 +0200
Subject: [PATCH] Added test cases for v2 and v3 sql injection of dynamodb

---
 .../Security/CWE-089/untyped/dynamodb.js      | 73 +++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js

diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js
new file mode 100644
index 00000000000..0f2d4bbd5fc
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js
@@ -0,0 +1,73 @@
+import {DynamoDBClient, ExecuteStatementCommand, BatchExecuteStatementCommand, DynamoDB} from "@aws-sdk/client-dynamodb";
+const express = require('express');
+
+const app = express();
+const region = 'us-east-1';
+
+app.post('/partiql/v3/execute', async (req, res) => {
+    const client = new DynamoDBClient({});
+    let maliciousInput = req.body.data; // $ MISSING: Source
+
+    const statement = `SELECT * FROM Users WHERE username = '${maliciousInput}'`;
+    const command = new ExecuteStatementCommand({
+        Statement: statement
+    });
+    await client.send(command); // $ MISSING: Alert
+
+    const updateStatement = "UPDATE Users SET status = 'active' WHERE id = " + maliciousInput;
+    const updateCommand = new ExecuteStatementCommand({
+        Statement: updateStatement
+    });
+    await client.send(updateCommand); // $ MISSING: Alert
+
+
+    const batchInput = {
+        Statements: [{
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            },
+            {
+                Statement: "UPDATE Users SET role = 'user' WHERE username = bob"
+            }
+        ]
+    };
+
+    const batchCommand = new BatchExecuteStatementCommand(batchInput);
+    await client.send(batchCommand); // $ MISSING: Alert
+
+    const batchInput2 = {
+        Statements: maliciousInput.map(input => ({
+            Statement: `SELECT * FROM SensitiveData WHERE username = '${input}'`
+        }))
+    };
+
+    const batchCommand2 = new BatchExecuteStatementCommand(batchInput2);
+    await client.send(batchCommand2); // $ MISSING: Alert
+
+    const client2 = new DynamoDB({});
+    await client2.send(command); // $ MISSING: Alert
+    await client2.send(batchCommand); // $ MISSING: Alert
+});
+
+app.post('/partiql/v2/execute', async (req, res) => {
+    const AWS = require('aws-sdk');
+    const dynamodb = new AWS.DynamoDB({
+        region: 'us-east-1'
+    });
+    let maliciousInput = req.body.data; // $ MISSING: Source
+    const params = {
+        Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+    };
+
+    dynamodb.executeStatement(params, function(err, data) {});  // $ MISSING: Alert
+    const params2 = {
+        Statements: [{
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            },
+            {
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+            }
+        ]
+    };
+
+    dynamodb.batchExecuteStatement(params2, function(err, data) {});  // $ MISSING: Alert
+});