Java

Java

By DeepSource

Audit: Amazon SimpleDB queries should not be susceptible to injection attacks JAVA-A1058

Security

Amazon SimpleDB queries should not be constructed using unvalidated external data.

Bad Practice

Avoid directly performing string concatenation to create SQL queries, as this can lead to injection attacks.

String table = request.getParameter("model");

String query = "SELECT * FROM " + table + " WHERE id = '" + id + "'"; // Susceptible to injection!
SelectResult result = conn.select(new SelectRequest(query));

Recommended

In security, allow-lists are more preferable to deny-lists, due to how specific they can be. If possible, narrow down to the absolute minimum the behaviors that are desired within a query, and use external input only to select the behavior required for the specific purpose.

Make sure to sanitize data from files or requests by first passing it through allow-lists.

if (!allowlist.contains(table)) return;

// ...

String query = String.format("SELECT * from %s where id = '%s'", table, id);

References

  • OWASP Top Ten (2021) - Category A03 - Injection
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
  • CWE-20 - Improper Input Validation
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic