include::../description.adoc[]

== Noncompliant Code Example

For DynamoDB, when `FilterExpression`, `ProjectionExpression` or `KeyConditionExpression` parameter is influenced by user-controlled values, unexpected NoSQL operations may be executed:

[source,python]
----
DYNAMO_CLIENT = boto3.client('dynamodb', config=config) 

DYNAMO_CLIENT.scan(
    FilterExpression= username + " = :u AND password = :p", # username is user-controlled
    ExpressionAttributeValues={
        ":u": { 'S': username },
        ":p": { 'S': password }
     },
    ProjectionExpression="username, password",
    TableName="users"
) # Noncompliant
----

== Compliant Solution

For DynamoDB, `FilterExpression`, `ProjectionExpression` and `KeyConditionExpression` parameters should not be influenced by user-controlled values:

[source,python]
----

DYNAMO_CLIENT = boto3.client('dynamodb', config=config) 

DYNAMO_CLIENT.scan(
    FilterExpression= "username = :u AND password = :p", 
    ExpressionAttributeValues={
        ":u": { 'S': username },
        ":p": { 'S': password }
     },
    ProjectionExpression="username, password",
    TableName="users"
)
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]