Added modeling for V2 of dynamoDB

Napalys · Napalys · commit 06ab91898539 · 2025-09-17T10:15:19.000+02:00
diff --git a/javascript/ql/lib/ext/dynamodb.model.yml b/javascript/ql/lib/ext/dynamodb.model.yml
@@ -4,6 +4,8 @@ extensions:
       extensible: sinkModel
     data:
       - ["DynamoDBClientV3", "ReturnValue.Member[send].Argument[0]", "sql-injection"]
+      - ["DynamoDBClientV2", "ReturnValue.Member[executeStatement].Argument[0].Member[Statement]", "sql-injection"]
+      - ["DynamoDBClientV2", "ReturnValue.Member[batchExecuteStatement].Argument[0].Member[Statements].ArrayElement.Member[Statement]", "sql-injection"]
 
   - addsTo:
       pack: codeql/javascript-all
@@ -17,3 +19,4 @@ extensions:
       extensible: typeModel
     data:
       - ["DynamoDBClientV3", "@aws-sdk/client-dynamodb", "Member[DynamoDBClient,DynamoDB]"]
+      - ["DynamoDBClientV2", "aws-sdk", "Member[DynamoDB]"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -2,6 +2,9 @@
 | dynamodb.js:15:23:15:29 | command | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:15:23:15:29 | command | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
 | dynamodb.js:21:23:21:35 | updateCommand | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:21:23:21:35 | updateCommand | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
 | dynamodb.js:47:24:47:30 | command | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:47:24:47:30 | command | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
+| dynamodb.js:58:20:58:77 | `SELECT ... nput}'` | dynamodb.js:56:26:56:33 | req.body | dynamodb.js:58:20:58:77 | `SELECT ... nput}'` | This query string depends on a $@. | dynamodb.js:56:26:56:33 | req.body | user-provided value |
+| dynamodb.js:64:28:64:85 | `SELECT ... nput}'` | dynamodb.js:56:26:56:33 | req.body | dynamodb.js:64:28:64:85 | `SELECT ... nput}'` | This query string depends on a $@. | dynamodb.js:56:26:56:33 | req.body | user-provided value |
+| dynamodb.js:67:28:67:85 | `SELECT ... nput}'` | dynamodb.js:56:26:56:33 | req.body | dynamodb.js:67:28:67:85 | `SELECT ... nput}'` | This query string depends on a $@. | dynamodb.js:56:26:56:33 | req.body | user-provided value |
 | graphql.js:9:34:19:5 | `\\n      ... }\\n    ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:9:34:19:5 | `\\n      ... }\\n    ` | This query string depends on a $@. | graphql.js:8:16:8:28 | req.params.id | user-provided value |
 | graphql.js:26:30:26:40 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:26:30:26:40 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value |
 | graphql.js:29:32:29:42 | `foo ${id}` | graphql.js:25:16:25:28 | req.params.id | graphql.js:29:32:29:42 | `foo ${id}` | This query string depends on a $@. | graphql.js:25:16:25:28 | req.params.id | user-provided value |
@@ -156,6 +159,13 @@ edges
 | dynamodb.js:18:27:20:6 | new Exe ... \\n    }) | dynamodb.js:18:11:18:23 | updateCommand | provenance |  |
 | dynamodb.js:18:55:20:5 | {\\n      ... t\\n    } [Statement] | dynamodb.js:18:27:20:6 | new Exe ... \\n    }) | provenance |  |
 | dynamodb.js:19:20:19:34 | updateStatement | dynamodb.js:18:55:20:5 | {\\n      ... t\\n    } [Statement] | provenance |  |
+| dynamodb.js:56:9:56:22 | maliciousInput | dynamodb.js:58:61:58:74 | maliciousInput | provenance |  |
+| dynamodb.js:56:9:56:22 | maliciousInput | dynamodb.js:64:69:64:82 | maliciousInput | provenance |  |
+| dynamodb.js:56:9:56:22 | maliciousInput | dynamodb.js:67:69:67:82 | maliciousInput | provenance |  |
+| dynamodb.js:56:26:56:33 | req.body | dynamodb.js:56:9:56:22 | maliciousInput | provenance |  |
+| dynamodb.js:58:61:58:74 | maliciousInput | dynamodb.js:58:20:58:77 | `SELECT ... nput}'` | provenance |  |
+| dynamodb.js:64:69:64:82 | maliciousInput | dynamodb.js:64:28:64:85 | `SELECT ... nput}'` | provenance |  |
+| dynamodb.js:67:69:67:82 | maliciousInput | dynamodb.js:67:28:67:85 | `SELECT ... nput}'` | provenance |  |
 | graphql.js:8:11:8:12 | id | graphql.js:11:46:11:47 | id | provenance |  |
 | graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:12 | id | provenance |  |
 | graphql.js:11:46:11:47 | id | graphql.js:9:34:19:5 | `\\n      ... }\\n    ` | provenance |  |
@@ -554,6 +564,14 @@ nodes
 | dynamodb.js:19:20:19:34 | updateStatement | semmle.label | updateStatement |
 | dynamodb.js:21:23:21:35 | updateCommand | semmle.label | updateCommand |
 | dynamodb.js:47:24:47:30 | command | semmle.label | command |
+| dynamodb.js:56:9:56:22 | maliciousInput | semmle.label | maliciousInput |
+| dynamodb.js:56:26:56:33 | req.body | semmle.label | req.body |
+| dynamodb.js:58:20:58:77 | `SELECT ... nput}'` | semmle.label | `SELECT ... nput}'` |
+| dynamodb.js:58:61:58:74 | maliciousInput | semmle.label | maliciousInput |
+| dynamodb.js:64:28:64:85 | `SELECT ... nput}'` | semmle.label | `SELECT ... nput}'` |
+| dynamodb.js:64:69:64:82 | maliciousInput | semmle.label | maliciousInput |
+| dynamodb.js:67:28:67:85 | `SELECT ... nput}'` | semmle.label | `SELECT ... nput}'` |
+| dynamodb.js:67:69:67:82 | maliciousInput | semmle.label | maliciousInput |
 | graphql.js:8:11:8:12 | id | semmle.label | id |
 | graphql.js:8:16:8:28 | req.params.id | semmle.label | req.params.id |
 | graphql.js:9:34:19:5 | `\\n      ... }\\n    ` | semmle.label | `\\n      ... }\\n    ` |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/dynamodb.js
@@ -53,21 +53,21 @@ app.post('/partiql/v2/execute', async (req, res) => {
     const dynamodb = new AWS.DynamoDB({
         region: 'us-east-1'
     });
-    let maliciousInput = req.body.data; // $ MISSING: Source
+    let maliciousInput = req.body.data; // $ Source
     const params = {
-        Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+        Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`  // $ Alert
     };
 
-    dynamodb.executeStatement(params, function(err, data) {});  // $ MISSING: Alert
+    dynamodb.executeStatement(params, function(err, data) {});
     const params2 = {
         Statements: [{
-                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`  // $ Alert
             },
             {
-                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'`
+                Statement: `SELECT * FROM Users WHERE username = '${maliciousInput}'` // $ Alert
             }
         ]
     };
 
-    dynamodb.batchExecuteStatement(params2, function(err, data) {});  // $ MISSING: Alert
+    dynamodb.batchExecuteStatement(params2, function(err, data) {});
 });
