mcp-server-semgrep/semgrep-rules/python/aws-lambda/security/dynamodb-filter-injection.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: dynamodb-filter-injection
  mode: taint
  metadata:
    cwe:
    - 'CWE-943: Improper Neutralization of Special Elements in Data Query Logic'
    owasp:
    - A01:2017 - Injection
    category: security
    technology:
    - python
    - boto3
    - aws-lambda
    - dynamodb
    references:
    - https://medium.com/appsecengineer/dynamodb-injection-1db99c2454ac
    subcategory:
    - vuln
    impact: MEDIUM
    likelihood: MEDIUM
    confidence: MEDIUM
  message: >-
    Detected DynamoDB query filter that is tainted by `$EVENT` object. This could lead to NoSQL injection
    if the variable is user-controlled
    and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly
    to DynamoDB client.
  pattern-sources:
  - patterns:
    - pattern: event
    - pattern-inside: |
        def $HANDLER(event, context):
          ...
  pattern-sanitizers:
  - patterns:
    - pattern: |
        {...}
  pattern-sinks:
  - patterns:
    - focus-metavariable: $SINK
    - pattern-either:
      - pattern: $TABLE.scan(..., ScanFilter = $SINK, ...)
      - pattern: $TABLE.query(..., QueryFilter = $SINK, ...)
    - pattern-either:
      - patterns:
        - pattern-inside: |
            $TABLE = $DB.Table(...)
            ...
        - pattern-inside: |
            $DB = boto3.resource('dynamodb', ...)
            ...
      - pattern-inside: |
          $TABLE = boto3.client('dynamodb', ...)
          ...
  severity: ERROR
  languages:
  - python