I have a function that takes user input and directly passes it to the put function
// user input is message
async addtodb(message: string, partitionkey: string) {
const params: AWS.DynamoDB.DocumentClient.PutItemInput = {
TableName: this.tablename,
Item: {
[this.key]: partitionkey,
id: id,
message,
},
};
return await dynamodb.put(params).promise();
};
Is it secure to use user input as an Amazon DynamoDB partition key?
is unclear and that is with the partition key aswell. I know the first rule of hacking is never trust user input so does that apply here?
CodePudding user response:
You should always sanitize inputs.
However, you cannot run UDFs or any other type of function on DynamoDB which most attacks try exploit. The only thing you're at risk from is the user storing data that you did not expect.
Partition key is hashed and uses salt, so the distribution of your data won't be impacted either.