Server Side Template Injection in Adonisjs with Dynamodb
Server Side Template Injection in Adonisjs with Dynamodb — how this specific combination creates or exposes the vulnerability
Server Side Template Injection (SSTI) occurs when an attacker can inject template code that is subsequently evaluated by a server-side templating engine. In AdonisJS, which supports multiple view engines including Mustache and Edge, SSTI is possible if user input is passed directly into template rendering functions without proper escaping or validation. When AdonisJS applications store or query data using AWS DynamoDB, the combination of a compromised template context and DynamoDB operations can amplify the impact of injection by enabling unintended data access or manipulation.
AdonisJS typically uses Locals to pass data from controllers to views. If an attacker can control a key in the locals object—such as through an API endpoint that directly maps request parameters to template variables—they may inject template directives. For example, in Mustache-based views, partial inclusion or lookup helpers can be abused to traverse object properties. If the application then uses user-supplied keys to perform DynamoDB operations (e.g., constructing table names or key condition expressions from template context), malicious input may lead to unauthorized database access or data leakage.
Consider a scenario where an endpoint renders a user profile view by fetching data from DynamoDB and passing the item to the template. If the template includes dynamic partials based on user input, such as {{> (lookup . partialName)}}, and the partial name is derived from untrusted data, an attacker might traverse internal objects or access unexpected globals. Meanwhile, the DynamoDB SDK calls in the controller may inadvertently expose sensitive attributes if filtering is not enforced. For instance, using a raw GetItem or Query without restricting returned fields can expose credentials or tokens stored in DynamoDB items, especially if the template context is polluted through SSTI to include sensitive keys.
The risk is further compounded when AdonisJS applications use DynamoDB Document Client, which automatically marshals JavaScript objects into DynamoDB attribute values. If user-controlled data flows into the Document Client parameters—such as through dynamic expression construction—attackers may manipulate conditional logic or projection expressions. Although DynamoDB itself does not execute templates, SSTI in the rendering layer can lead to crafted inputs that cause unsafe DynamoDB operations, such as retrieving items with broader permissions or bypassing intended data isolation.
Real-world patterns include unsafe usage of lodash templates or embedded JavaScript evaluation within view helpers, which may be triggered through SSTI to invoke DynamoDB operations indirectly. This can result in sensitive data exposure, enumeration of table structures, or even privilege escalation if the IAM role associated with the application has broad permissions. MiddleBrick scans detect such vectors under its Property Authorization and Input Validation checks, highlighting insecure data flows between template rendering and DynamoDB interactions.
Dynamodb-Specific Remediation in Adonisjs — concrete code fixes
To mitigate SSTI in AdonisJS when working with DynamoDB, enforce strict input validation, avoid dynamic template inclusion, and isolate data access logic from rendering. Always treat user input as untrusted and never allow it to directly influence template context or DynamoDB operation construction.
1. Validate and sanitize all user input before template rendering
Use AdonisJS schema validation to ensure only expected data reaches the view layer. Never pass raw request parameters to view.render() without sanitization.
const { schema, rules } = use('Validator')
const profileSchema = schema.create({
username: schema.string.optional({}, [ rules.escape ])
})
const validatedData = await schema.validate(request.all(), profileSchema)
await view.render('profile', { user: validatedData })
2. Avoid dynamic partials and template helpers that resolve user input
Do not use Mustache partials or Edge includes that reference variables derived from request data. Instead, use hardcoded template paths or whitelisted values.
{{!-- Unsafe: user-controlled partial inclusion --}}
{{> (lookup . partialName) }}
{{!-- Safe: static template with controlled data --}}
{{> profile/summary }}
3. Use parameterized DynamoDB operations and strict projection expressions
Construct DynamoDB queries using the SDK with explicit key schemas and filtered attribute projections. Avoid building expression strings from user input.
const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb')
const { ddbDocClient } = use('aws-sdk')
async function getUserProfile(userId) {
const command = new GetCommand({
TableName: 'UserProfiles',
Key: { userId: { S: userId } },
ProjectionExpression: 'userId, email, createdAt'
})
const response = await ddbDocClient.send(command)
return response.Item
}
4. Isolate sensitive data and apply least privilege IAM roles
Ensure the IAM role attached to the AdonisJS application only allows required DynamoDB actions on specific resources. Avoid wildcard permissions and scope down table access by prefix or tag conditions.
5. Audit logging and monitoring
Log all DynamoDB access attempts with sanitized identifiers and monitor for unusual patterns such as high-frequency requests for non-existent users or access to administrative tables. MiddleBrick’s dashboard can track related risk indicators across scans.
By combining secure coding practices in AdonisJS with disciplined DynamoDB usage, developers can effectively neutralize SSTI attack paths that might otherwise lead to data exposure or unauthorized operations.