[jvanderbot]

I'm genuinely curious - where does this end? I once was curious about whether I should sanitize dynamodb inputs, and was surprised to see zero guidance for or against.

How about things like parsing strings for serializing to binary storage?

Can everything be an injection attack?

[3np]

I think it's safe to put arbitrary data in DynamoDB (just use the proper API instead of concatenating it directly into a command string...) It's the systems interacting with it you have to be careful about. In general, there is no silver bullet beyond "understand your systems capabilities and limitations". Formal verification also comes to mind.

> Can everything be an injection attack?

What does this question even mean? I guess we must say "for any system accepting arbitrary input: yes". Not even sure if the "arbitrary" qualifier is necessary.

[jakimfett]

> where does this end?

It never does, because abstractly speaking, there is no such thing as a secure computing system. This goes double for any computer that is switched on.

Practically speaking, it depends on how critical your application might be. If you're storing values for neurosurgery or automated dispersal of life-saving (or potentially life-ending) medication, you'd better be sanitizing on the way in, validating on the way out, and have some additional layers like audits and comparisons to known good values at rest. Look into defense in depth, and never trust the computer to make a decision, because the computer cannot be held accountable.

If you're storing quiz results for someone's favourite colour, or it's not internet connected, you can probably be a bit less paranoid about it.

> Can everything be an injection attack?

But yeah, anything and everything could be an injection attack if the attacker is determined enough. It's just a matter of how difficult you want to make it for them.