Is it safe to pass user input to dynamo DB through node ts

Question

I have a function that takes user input and directly passes it to the put function

// user input is message
async addtodb(message: string, partitionkey: string) {
        const params: AWS.DynamoDB.DocumentClient.PutItemInput = {
          TableName: this.tablename,
          Item: {
            [this.key]: partitionkey,
            id: id,
            message,
          },
        };
        return await dynamodb.put(params).promise();
    };

Is it secure to use user input as an Amazon DynamoDB partition key?

is unclear and that is with the partition key aswell. I know the first rule of hacking is never trust user input so does that apply here?

score 1 · Accepted Answer · answered Jan 27 '23 at 08:43

1

You should always sanitize inputs.

However, you cannot run UDFs or any other type of function on DynamoDB which most attacks try exploit. The only thing you're at risk from is the user storing data that you did not expect.

Partition key is hashed and uses salt, so the distribution of your data won't be impacted either.

answered Jan 27 '23 at 08:43

Leeroy Hannigan

11,409
3
14
31

how would you go about santizing user input in dynamoDB? – Jonathan Coletti Jan 27 '23 at 19:22
Something like this: https://stackoverflow.com/questions/46718772/how-i-can-sanitize-my-input-values-in-node-js – Leeroy Hannigan Jan 27 '23 at 20:24
A lot of node sanitizer libs are old and shakey. I was wondering if dynamoDB has something like prepare in sql? – Jonathan Coletti Jan 27 '23 at 23:13
1

Unfortunately it's not something DynamoDB handles. – Leeroy Hannigan Jan 28 '23 at 09:10

Is it safe to pass user input to dynamo DB through node ts

1 Answers1