Neo4j explicit/manual index queries, parameters in predicate and possible Cypher(SQL) injections

Asked May 19 '18 at 17:12

Active May 19 '18 at 18:14

Viewed 115 times

I'm going to use Neo4j explicit/manual index queries, something like that:

MATCH (d:Decision)-[:HAS_VALUE_ON]->(ch:Characteristic) 
WHERE ch.id = 2 
CALL apoc.index.in(ch,'HAS_VALUE_ON','property.1.4:5 AND property.1.3:"practical"') YIELD node AS decision 
MATCH (decision)-[ru:CREATED_BY]->(u:User) 
RETURN decision, u

In order to use it I need to create the index query predicate based on Lucene query language, for instance like the following in the example above:

'property.1.4:5 AND property.1.3:"practical"'

According to my business logic, the values inside of the predicate come from UI and potentially can be used for Cypher(SQL) injections.

Previously I used Cypher named parameters in order to avoid this issue but looks like it doesn't work inside of predicate string.

How to deal with it in case of explicit/manual index Lucene query predicate?

edited May 19 '18 at 18:14

asked May 19 '18 at 17:12

alexanoid

24,051
54
210
410

2

what about making the whole predicate a named parameter ? sth like `CALL apoc.index.in(ch, {relType}, {predicate})` ? – Christophe Willemsen May 19 '18 at 20:49
yes, good idea. Thanks, I'll try it – alexanoid May 19 '18 at 21:08

Neo4j explicit/manual index queries, parameters in predicate and possible Cypher(SQL) injections

0 Answers0