Server Side Template Injection in Sails with Dynamodb
Server Side Template Injection in Sails with Dynamodb — how this specific combination creates or exposes the vulnerability
Server Side Template Injection (SSTI) occurs when an attacker can inject template code that is subsequently evaluated by a server-side templating engine. In Sails.js, which is a Node.js MVC framework, views are often rendered with templating engines such as EJS or Pug. If user-controlled input is embedded into these templates without proper escaping or validation, SSTI can occur. When Sails applications interact with Amazon DynamoDB, the risk is compounded because data retrieved from DynamoDB may be directly injected into templates for rendering.
Consider a scenario where an endpoint fetches an item from DynamoDB using a user-supplied identifier and passes the item to a view. If the view template does not escape dynamic values, an attacker can craft a DynamoDB item containing a malicious template snippet. When the view is rendered, the injected template code executes in the server context. For example, an item attribute like {{userSupplied}} might originate from a DynamoDB scan or query result. If the Sails view engine evaluates this attribute without sanitization, arbitrary code execution can follow.
The combination of Sails and DynamoDB introduces specific vectors: DynamoDB attribute values may include strings that resemble template syntax, and Sails controllers often pass entire database records to views. Developers might assume that DynamoDB data is inherently safe because it is stored in a NoSQL database, but data provenance does not guarantee safety. Additionally, DynamoDB Streams or Lambda triggers can propagate tainted data into Sails services, which later render it. The vulnerability is not in DynamoDB itself but in how Sails handles and renders data sourced from DynamoDB without context-aware escaping.
Real-world exploitation patterns mirror classic SSTI techniques, such as accessing server-side objects or invoking functions. In a DynamoDB-stored item, fields like description or metadata could contain payloads like {%= _.global.process.env %} for EJS. If the template engine evaluates this, environment variables can be leaked. The risk is particularly acute when Sails applications use partial templates or layouts that include user-controlled fragments from DynamoDB.
Mitigating SSTI in this context requires strict input validation, output encoding appropriate to the template context, and avoiding direct interpolation of DynamoDB results into executable template code. Security checks that validate data formats and enforce type constraints reduce the likelihood of malicious payloads reaching the rendering layer. Because DynamoDB is often used as a high-scale backend, ensuring that Sails templates treat all external data as untrusted is essential to maintaining a robust security posture.
Dynamodb-Specific Remediation in Sails — concrete code fixes
Defending against SSTI when using DynamoDB with Sails involves a combination of secure data handling, template hygiene, and runtime checks. Below are concrete remediation strategies with code examples that demonstrate safe practices.
- Use parameterized queries and avoid direct template interpolation. Instead of passing raw DynamoDB items to views, extract only the necessary fields and sanitize them. For example, when retrieving an item, map it to a plain object with validated properties:
const AWS = require('aws-sdk');
const dynamodb = new AWS.DynamoDB.DocumentClient();
async function getItem(params) {
const data = await dynamodb.get(params).promise();
// Return only safe, transformed data
return {
id: data.Item.id,
title: data.Item.title ? String(data.Item.title).replace(/&/g, '&').replace(/</g, '<') : ''
};
}
- Apply context-aware escaping in templates. For EJS, use
<%=%>with a trusted escaping function or rely on EJS’s built-in escaping by using<%- %>only when the content is explicitly marked as safe. For Pug, use unescaped interpolation with extreme caution:
<!-- EJS: safe output -->
<div><%= item.title %></div>
<!-- Pug: use !{} only if content is sanitized -->
div!= item.sanitizedContent
- Validate and whitelist DynamoDB attribute values. Before using data in a template, enforce strict type checks and whitelists. For example, ensure numeric IDs are integers and strings match expected patterns:
function validateItem(item) {
if (typeof item.id !== 'number' || item.id <= 0) {
throw new Error('Invalid item ID');
}
if (!/^[a-zA-Z0-9 _-]{1,100}$/.test(item.slug)) {
throw new Error('Invalid slug');
}
return true;
}
- Leverage Sails policies to sanitize incoming data. Policies can intercept requests and clean DynamoDB-bound parameters before they reach controllers:
module.exports.policies = {
'ItemController': {
'show': ['sanitizeDynamoItem']
}
};
module.exports.sanitizeDynamoItem = function (req, res, next) {
const id = parseInt(req.param('id'), 10);
if (isNaN(id)) {
return res.badRequest('Invalid ID format');
}
req.sanitizedId = id;
return next();
};
- Use view partials cautiously. If your Sails app includes partials populated from DynamoDB, ensure those partials do not execute logic or interpolate raw data. Prefer passing pre-sanitized data structures:
// In controller
const safeData = {
item: await getItem({ TableName: 'Items', Key: { id: req.sanitizedId } }),
user: { name: 'TrustedUser' }
};
return res.view('dashboard', safeData);