SQL injection from event data concatenated into SQL string in AWS Lambda

Critical Risk sql-injection
rubyaws-lambdasql-injectionstring-interpolationdatabase

What it is

SQL injection vulnerability where event-supplied user input is interpolated or concatenated into SQL queries without using parameters or proper binding, potentially allowing attackers to read, alter, or delete database data and perform unauthorized administrative actions, compromising integrity and confidentiality.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly interpolated into SQL strings using Ruby's #{} syntax.

Root causes

Ruby String Interpolation with Event Data

Lambda event fields are directly interpolated into SQL strings using Ruby's #{} syntax.

Missing Parameter Binding

Failing to use database driver parameter binding or ORM parameterized query methods.

Fixes

1

Use Parameterized Queries with Placeholders

Replace string interpolation with parameterized queries using database-specific parameter binding.

View implementation 
conn.exec_params('SELECT * FROM users WHERE id = $1', [user_id]) for PostgreSQL
2

Use ORM Parameter Binding

When using ORMs like ActiveRecord or Sequel, use their built-in parameter binding methods.

View implementation 
User.where('id = ?', user_id) or DB[:users].where(id: user_id) for safe querying
3

Validate All Event Input

Implement comprehensive validation for all Lambda event data before database operations.

View implementation 
Check data types, validate formats, enforce length limits, use allow-lists for expected values

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from event data concatenated into sql string in aws lambda and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities