Does anyone know if there are any known no SQL vulnerabilities with the 'Dynogels' library when interacting with a NO SQL database.
Not using any advanced queries, only bog standard with the existing methods. query(), where(), equals() etc.
Dynogels passes supplied filter/query values using the ExpressionAttributeValues structure, which is separate from the query structure itself (FilterExpression). This is analogous to using parameterized SQL queries, which pass parameters in a separate structure from the query itself.
In other words, as long as you only use untrusted input as filter values, injection that changes the query structure should not be possible:
// Assume "req.body" is untrusted input
Table.query(req.body.key)
.filter('somecolumn').equals(req.body.somecolumn)
.exec(callback);
The above is safe, as long as it is not an application-level vulnerability to allow the user to query for any key. In all of the contexts where untrusted input is used above, it cannot possibly affect the structure of the query.
Disclosure: I am one of the maintainers of dynogels. If you find a vulnerability, please disclose it to us privately so we can address it before publishing details publicly.