DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Audit: Amazon SimpleDB queries should not be susceptible to injection attacks JAVA-A1058

Security
Critical
 a03 cwe-20 cwe-89 cwe-943 sans top 25 owasp top 10

Amazon SimpleDB queries should not be constructed using unvalidated external data.

Bad Practice

Avoid directly performing string concatenation to create SQL queries, as this can lead to injection attacks.

String table = request.getParameter("model");

String query = "SELECT * FROM " + table + " WHERE id = '" + id + "'"; // Susceptible to injection!
SelectResult result = conn.select(new SelectRequest(query));

Recommended

In security, allow-lists are more preferable to deny-lists, due to how specific they can be. If possible, narrow down to the absolute minimum the behaviors that are desired within a query, and use external input only to select the behavior required for the specific purpose.

Make sure to sanitize data from files or requests by first passing it through allow-lists.

if (!allowlist.contains(table)) return;

// ...

String query = String.format("SELECT * from %s where id = '%s'", table, id);

References

  • OWASP Top Ten (2021) - Category A03 - Injection
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
  • CWE-20 - Improper Input Validation
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic