Container and Serverless Considerations
Container and Serverless Considerations
Container orchestration and serverless platforms introduce new SQL injection considerations:
# Kubernetes ConfigMap with database queries - AVOID THIS
apiVersion: v1
kind: ConfigMap
metadata:
name: query-templates
data:
user-search: "SELECT * FROM users WHERE status = '$STATUS'" # Vulnerable!
---
# Secure approach using parameterized query templates
apiVersion: v1
kind: ConfigMap
metadata:
name: query-templates
data:
user-search: "SELECT * FROM users WHERE status = :status"
user-search-params: "status"
Serverless function security:
# AWS Lambda function with SQL injection vulnerability
import json
import pymysql
def lambda_handler(event, context):
# Dangerous: Building query from API Gateway event
user_id = event['queryStringParameters']['userId']
action = event['queryStringParameters']['action']
connection = pymysql.connect(
host=os.environ['DB_HOST'],
user=os.environ['DB_USER'],
password=os.environ['DB_PASSWORD'],
db=os.environ['DB_NAME']
)
try:
with connection.cursor() as cursor:
# Vulnerable query construction
query = f"UPDATE users SET last_action = '{action}' WHERE id = {user_id}"
cursor.execute(query)
connection.commit()
finally:
connection.close()
# Secure Lambda implementation
import json
import boto3
from aws_lambda_powertools import Logger, Tracer, Metrics
from aws_lambda_powertools.metrics import MetricUnit
logger = Logger()
tracer = Tracer()
metrics = Metrics()
@tracer.capture_lambda_handler
@logger.inject_lambda_context
@metrics.log_metrics
def secure_lambda_handler(event, context):
# Input validation
try:
user_id = int(event['queryStringParameters'].get('userId', 0))
action = event['queryStringParameters'].get('action', '')
if user_id <= 0:
return {
'statusCode': 400,
'body': json.dumps({'error': 'Invalid user ID'})
}
# Whitelist allowed actions
allowed_actions = ['login', 'logout', 'view', 'update']
if action not in allowed_actions:
return {
'statusCode': 400,
'body': json.dumps({'error': 'Invalid action'})
}
except (ValueError, TypeError) as e:
logger.error(f"Input validation failed: {e}")
return {
'statusCode': 400,
'body': json.dumps({'error': 'Invalid input'})
}
# Use RDS Data API with parameterized queries
rds_data = boto3.client('rds-data')
try:
response = rds_data.execute_statement(
resourceArn=os.environ['DB_CLUSTER_ARN'],
secretArn=os.environ['DB_SECRET_ARN'],
database=os.environ['DB_NAME'],
sql='UPDATE users SET last_action = :action, last_action_time = CURRENT_TIMESTAMP WHERE id = :userId',
parameters=[
{'name': 'action', 'value': {'stringValue': action}},
{'name': 'userId', 'value': {'longValue': user_id}}
]
)
metrics.add_metric(name="UserActionUpdated", unit=MetricUnit.Count, value=1)
return {
'statusCode': 200,
'body': json.dumps({'success': True, 'rowsAffected': response['numberOfRecordsUpdated']})
}
except Exception as e:
logger.error(f"Database operation failed: {e}")
metrics.add_metric(name="UserActionUpdateFailed", unit=MetricUnit.Count, value=1)
return {
'statusCode': 500,
'body': json.dumps({'error': 'Internal server error'})
}
Modern architectures require modern security approaches. Every API endpoint, microservice communication channel, and serverless function represents a potential SQL injection vector. Apply the same rigorous security standards to internal APIs as external ones, implement defense in depth across service boundaries, and remember that in distributed systems, a vulnerability in one service can cascade throughout the entire architecture.