Critiq Docs
Get started
security.input-validation

Avoid request-driven DynamoDB queries

DynamoDB query and scan inputs should not be built directly from request input.

#Metadata

Rule ID
ts.security.dynamodb-query-injection
Severity
critical
Confidence
0.9
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
dynamodb, injection, rules-catalog, security

#Why it matters

Raw request data in DynamoDB helpers can widen query scope or let attackers control expressions, filters, and key conditions.

#Remediation

Build DynamoDB requests from fixed expressions and allowlisted fields instead of forwarding request-shaped input.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.dynamodb-query-injection.rule.yaml.

Back to registryOpen rule in repository