JS: Modeling of aws-sdk clients*

[Napalys]

This PR adds modeling for v2 and v3 AWS SDK clients:

• client-dynamodb
• client-s3
• client-athena
• client-rds-data

Important notes:

• In order for these SQL injections to be detected, we need accessPathLimit to be at least 3:
  • DynamoDBClientV2 (batchExecuteStatement Statements)
  • RDSDataClientV2 (batchExecuteStatement parameterSets.sql)
• createNamedQuery and updateNamedQuery in Athena are marked as sinks. They do not execute queries directly but store them for later execution in AWS Athena.

[owen-mc]

I haven't finished reviewing, but two comments so far:

• You don't have any tests for the sources you have added. Can you add a quick use of each of those APIs and see if the existing database access test will capture them?
• Would it be easier to put typeModel at the top of the model.yml file? I found that more intuitive, so I could look to the top to see what things are defined to mean.

[owen-mc]

Oh, and you have merge conflicts now I see.

[Copilot]

Pull Request Overview

This PR adds comprehensive modeling for AWS SDK clients (both v2 and v3) to support SQL injection detection. The modeling includes support for DynamoDB, S3, Athena, and RDS Data Service clients and their respective query execution methods.

Key changes include:

• Addition of SQL injection sinks and sources for AWS SDK v2 and v3 clients
• Test cases demonstrating SQL injection vulnerabilities across different AWS services
• Support for both callback and promise-based patterns in v2 SDK

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
aws-sdk.model.yml	Defines type models, sinks, summaries, and sources for AWS SDK clients and commands
rds-client.js	Test cases for RDS Data Service SQL injection vulnerabilities
dynamodb.js	Test cases for DynamoDB PartiQL SQL injection vulnerabilities
clients3.js	Test cases for S3 SQL injection via SelectObjectContent
athena.js	Test cases for Athena SQL injection via query execution and storage commands
aws.js	XSS test cases for AWS SDK response data
aws-db.js	Additional XSS test cases for database response data
Various .expected files	Updated test expectations with new SQL injection and XSS alerts
2025-07-28-dynamodb.md	Change note documenting the new AWS SDK support

[asgerf]

Suggested change

	- ["AthenaClientV2", "aws-sdk", "Member[Athena]"]
	- ["S3ClientV2", "aws-sdk", "Member[S3]"]
	- ["RDSDataClientV2", "aws-sdk", "Member[RDSDataService]"]
	- ["DynamoDBClientV2", "aws-sdk", "Member[DynamoDB]"]
	- ["aws-sdk.Athena", "aws-sdk", "Member[Athena]"]
	- ["aws-sdk.S3", "aws-sdk", "Member[S3]"]
	- ["aws-sdk.RDSDataService", "aws-sdk", "Member[RDSDataService]"]
	- ["aws-sdk.DynamoDB", "aws-sdk", "Member[DynamoDB]"]

Types should ideally be named after the correspinding TypeScript type if there is one, using the format <package>.<typename>.. This means we automatically match them up with type annotations and the names are also namespaced so different models easily clash with each other.

[Napalys]

d6329a9 + 3be5832