cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

Is searching/updating/creating nodes and relationship labels and parameters via string construction in n4j-bolt/py2neo unsafe?

Hello, I'm relatively new to N4j and am enjoying the technology so far. I'm working with a large database and hoping to write some pretty generic search functions. For performance reasons, I'd like to write a function that can subset nodes based on labels using the :Label syntax as opposed to doing so in a WHERE clauses. Further, I'd like to utilize parameter maps in the node/relationship MATCH pattern where the mappings can be of different properties and values. As you know, parameterizing labels and maps aren't supported by the n4j bolt driver. For example, I'd like to write a function like the following:

def search(session, node_1_label, node_1_params, node_2_label, node_2_params):
    r =  session.run("MATCH (n1:{node_1_label} {node_1_params)-[r]-(n2:{node_2_label} {node_2_params}")
    "RETURN n1, r, n2", node_1_label=node_1_label, node_1_params=node_1_params, 
    node_2_label= node_2_label, node_2_params= node_2_params)
    ...
    do stuff
    ...

This doesn't work for labels and parameters. I could do some of this in the WHERE clause, but I understand that is quite slow relative to constructing better MATCH patterns, i.e. NodeByLabelScan vs AllNodesScan.

Now to the question: I've seen suggestions (and had some success with) constructing some of these patterns using string literals via python string formatting, f-strings, etc, but isn't that vulnerable to SQL-injection like attacks? Similarly, I've seen the py2neo solution for some of this: https://py2neo.org/v4/cypher/index.html but that also seems vulnerable to said attacks. I also saw this answer on this forum from last month: How to make this not dangerous?

Of course there should be other safeguards in place to prevent these attacks from happening, but I'm hoping the community can offer some best practices or previously discussed solutions in this area. I haven't had much luck searching for how to best accomplish this Cypher flexibility while keeping security in mind.

Thank you!

0 REPLIES 0