MEDIUM log injectionexpressdynamodb

Log Injection in Express with Dynamodb

Scan for log injection in express

Log Injection in Express with Dynamodb — how this specific combination creates or exposes the vulnerability

Log injection occurs when untrusted input is written directly into log entries without sanitization or formatting control. In an Express application that uses Amazon DynamoDB as a data store, this typically arises when request data—such as user identifiers, query parameters, or object keys—is embedded into log messages before being sent to DynamoDB or after reading from it. Because DynamoDB does not perform log-specific formatting, newline characters or structured delimiters in attribute values can corrupt log streams when those values are later written to logs by application code or monitoring tools.

Consider an Express route that retrieves a user record from DynamoDB and logs the response for debugging:

const AWS = require('aws-sdk');
const dynamo = new AWS.DynamoDB.DocumentClient();
const express = require('express');
const app = express();

app.get('/user/:userId', async (req, res) => {
  const userId = req.params.userId;
  const params = {
    TableName: 'Users',
    Key: { userId: userId }
  };
  try {
    const data = await dynamo.get(params).promise();
    console.log('User retrieved:', JSON.stringify(data.Item));
    res.json(data.Item);
  } catch (err) {
    console.error('DynamoDB error:', err.message);
    res.status(500).send('Server error');
  }
});

If the userId contains a newline (e.g., attacker\nAdmin: true), and the logging library or runtime writes this value directly into a log file, the injected newline can split a single log line into multiple entries. This breaks log parsers, obscures audit trails, and can facilitate log forging or injection attacks where an attacker manipulates log appearance without needing to compromise the logging system itself. When DynamoDB is used as a backend, the risk is compounded if attribute values include control characters that are later interpolated into log statements by application code or middleware.

Another scenario involves logging DynamoDB query or scan responses that include user-controlled data. For example, an Express handler might log the full response from DynamoDB, inadvertently exposing sensitive fields if those fields contain newline or structured characters that distort log formatting:

app.post('/search', async (req, res) => {
  const { query } = req.body;
  const params = {
    TableName: 'Products',
    FilterExpression: 'contains(name, :q)',
    ExpressionAttributeValues: { ':q': query }
  };
  const data = await dynamo.scan(params).promise();
  console.log('Search results:', JSON.stringify(data.Items));
  res.json(data.Items);
});

Here, if query includes carriage returns or other control sequences, and the resulting items are logged without sanitization, the log stream becomes ambiguous. This can impair incident response, enable injection-based log manipulation, and complicate correlation with other telemetry. The combination of Express routing, dynamic user input, and DynamoDB as a data store does not introduce new injection primitives but provides a pathway where unchecked data flows from DynamoDB responses into log entries, creating observable and exploitable log integrity issues.

Dynamodb-Specific Remediation in Express — concrete code fixes

To mitigate log injection when integrating Express with DynamoDB, ensure that any data written to logs is sanitized and that log formatting is controlled. The primary defense is to avoid interpolating raw DynamoDB attribute values directly into log messages. Instead, use structured logging with explicit field serialization and character escaping.

1. Sanitize user input before logging:

function sanitizeLog(value) {
  if (typeof value !== 'string') return value;
  return value.replace(/[\r\n]+/g, ' ');
}

app.get('/user/:userId', async (req, res) => {
  const userId = sanitizeLog(req.params.userId);
  const params = {
    TableName: 'Users',
    Key: { userId: req.params.userId }
  };
  const data = await dynamo.get(params).promise();
  console.log('User retrieved:', { userId, hasItem: !!data.Item });
  res.json(data.Item);
});

2. Use structured logging for DynamoDB responses instead of raw stringification:

app.post('/search', async (req, res) => {
  const query = sanitizeLog(req.body.query);
  const params = {
    TableName: 'Products',
    FilterExpression: 'contains(name, :q)',
    ExpressionAttributeValues: { ':q': query }
  };
  const data = await dynamo.scan(params).promise();
  console.log('Search results', {
    query,
    count: data.Items.length,
    ids: data.Items.map(item => ({ id: sanitizeLog(item.id) }))
  });
  res.json(data.Items);
});

3. Ensure DynamoDB client configuration and error handling do not leak raw values:

app.get('/profile/:email', async (req, res) => {
  const email = sanitizeLog(req.params.email);
  const params = {
    TableName: 'Profiles',
    KeyConditionExpression: 'email = :email',
    ExpressionAttributeValues: { ':email': email }
  };
  try {
    const data = await dynamo.query(params).promise();
    console.log('Profile lookup', { email, count: data.Count });
    res.json(data.Items);
  } catch (err) {
    console.error('Profile lookup failed', { email, code: err.code });
    res.status(500).send('Server error');
  }
});

These practices reduce the risk that newline or control characters in DynamoDB-stored data distort log structure. They align with secure logging guidelines that emphasize controlled formatting and avoiding direct inclusion of untrusted data. In an Express context, this complements middleware that normalizes request inputs and ensures that logging behavior remains predictable regardless of DynamoDB content.

Scan for log injection in express Free API security scan

Frequently Asked Questions

Does DynamoDB introduce unique log injection risks compared to other databases?
DynamoDB does not introduce unique log injection risks; the risk comes from how application code handles and logs data from any source. Because DynamoDB stores strings and binary data as-is, values containing newlines or control characters can corrupt log formatting when those values are directly interpolated into logs. The mitigation is to sanitize and structure log output consistently, regardless of the underlying datastore.
Should I log full DynamoDB responses in production for debugging?
Avoid logging full DynamoDB responses in production. Use structured, selective logging that includes only necessary metadata (e.g., request IDs, counts, sanitized identifiers). If full responses are needed for debugging, ensure they are processed through a sanitization layer that escapes or removes control characters before being written to logs.

Related Pages

Log Injection in ExpressLearn how log injection attacks exploit Express applications through request logging, error handling, and middleware. DiLog Injection in DynamodbLearn how log injection vulnerabilities manifest in DynamoDB applications, how to detect them with middleBrick scanning,Log Injection in Express on Fly IoLog injection in Express on Fly.io: causes, impacts on logging, and structured logging fixes with Fly-compatible code exLog Injection in Express on DigitaloceanLog injection in Express on Digitalocean: risks, examples, and structured logging fixes using Pino and sanitization.Pci Dss: Log Injection in ExpressUnderstand PCI DSS log injection risks in Express, see concrete remediation patterns, and learn how middleBrick detects Soc2: Log Injection in ExpressExplore Log Injection in Express apps under SOC 2 controls. Learn remediation patterns and how middleBrick detects log iIso 27001: Log Injection in ExpressExplore ISO 27001 controls for log injection in Express, with remediation examples and structured logging guidance.Cis: Log Injection in ExpressLearn how log injection manifests in Express APIs, CIS-aligned remediation patterns, and practical code fixes using struLog Injection in Express with Bearer TokensLog injection in Express with Bearer tokens: risks and remediation with code examples for safe logging and token handlinLog Injection in Express with Basic AuthLog injection in Express with Basic Auth: how credential headers reach logs and concrete fixes with code examples.Log Injection in Express with Hmac SignaturesLog injection in Express with Hmac signatures: risks and remediation with code examplesLog Injection in Express with Api KeysLog injection in Express with API keys: how untrusted header logging creates risk and how to remediate with hashing, tru