NoSQL Injection into DynanmoDB

Question

Does anyone know if there are any known no SQL vulnerabilities with the 'Dynogels' library when interacting with a NO SQL database.

Not using any advanced queries, only bog standard with the existing methods. query(), where(), equals() etc.

Answer 1

Maybe not really a known issue, but dealing with input data in general, and saving it into whatever database you always have to sanitise your data to prevent injections.

As you are dealing with JSON a lot in DynanmoDB, be especially careful when deserialising user input to JSON objects and inserting or updating these objects directly into a NoSQL database. For example make sure the user cannot add extra fields into the JSON object.

It al depends on how you validate your user input.

I think it is safe to say that NoSQL databases access the database more in terms of functions, and JSON objects. You have to worry less about SQL injections than traditional string based access (TSQL) databases.

Answer 2

Dynogels passes supplied filter/query values using the ExpressionAttributeValues structure, which is separate from the query structure itself (FilterExpression). This is analogous to using parameterized SQL queries, which pass parameters in a separate structure from the query itself.

In other words, as long as you only use untrusted input as filter values, injection that changes the query structure should not be possible:

// Assume "req.body" is untrusted input
Table.query(req.body.key)
    .filter('somecolumn').equals(req.body.somecolumn)
    .exec(callback);

The above is safe, as long as it is not an application-level vulnerability to allow the user to query for any key. In all of the contexts where untrusted input is used above, it cannot possibly affect the structure of the query.

---

Disclosure: I am one of the maintainers of dynogels. If you find a vulnerability, please disclose it to us privately so we can address it before publishing details publicly.