0

This link provides an example of an injection-style attack, but it's not clear under what circumstances it applies, or how to avoid it.

Is it necessary to escape strings before inserting into dynamodb? How is it done?

This is the closest example of what I'm asking but that is for PhP and Mysql.

Josh Vander Hook
  • 256
  • 1
  • 13
  • I have focused the question down to a yes/no answer, with a request for help understanding how to do this. I cannot think of a more focused question and there does not exist another question like this that I can find. – Josh Vander Hook Apr 04 '23 at 12:45

1 Answers1

0

The link you share is not an attack, you're essentially providing the ability for the user to specify what data they can be returned by manipulating the filter expression.

Firstly, in DynamoDB you typically wouldn't use Scan as it results in reading the entire table, and you are providing your users to access all the information.

If you need to prevent users from gaining data which is prohibited, then you should use Fine grained access control.

With that said, you should still remain vigilant over the power you give your users by submitting parameters directly to DynamoDB.

Leeroy Hannigan
  • 11,409
  • 3
  • 14
  • 31