I have a Python function that receives user input with no character limitations (spaces, special chars, etc. all allowed). It then writes the input to a DynamoDB table.
In relational SQL, any write transaction to a database should be parameterized to avoid SQL injection. Are there any similar best practices to avoid security issues when writing user-provided data in Dynamo?
Injection attacks are absolutely possible in NoSQL databases!
The best thing you can do is validate your input and then escape the string parameters
The impact of an injection attack in DynamoDB might not be so severe. Still, you can sometimes retrieve results you were not supposed to recover, which could be problematic or not depending on the business case. This can be used to steal data or overload the system.
Example:
If you are using the greater than operator it performs a lexicographical comparison and if you provide a special char with low ASCII value you can exploit it.
dynamo.scan(TableName = 'my-table', Select = 'ALL_ATTRIBUTES',
ScanFilter = {'username': {"AttributeValueList": [{"S": "*"}],
"ComparisonOperator": "GT"}})
if the value in AttributeValueList is injected as an unescaped parameter, this can be exploited very easily