Search for arbitrary node properties using neo4jclient

0
votes

I have a data access function like

public IList<NodeType> GetNodesByProperties(IDictionary<string, string> properties)

which returns all neo4j nodes where all properties match.

I can't find any official way to do this kind of search through neo4jclient. I've written a function like:

public IList<NodeType> GetNodesByProperties(IDictionary<string, string> properties)
{
    var baseQuery = neo4jclient.Cypher
        .Match("(node:NodeType)")
        .Where("true");

    foreach (var tupple in properties)
        baseQuery = baseQuery.AndWhere($"node.{tupple.Key} = \"{tupple.Value}\"");

    var resultQuery = baseQuery
        .Return(node => node.As<NodeType>());

    return resultQuery.Results;
}

Which does work, but this poses an obvious Cypher injection attack risk, since the function inserts raw text directly into a Cypher query.

How can I safely search for any node properties?

1
c#.netneo4jneo4jclient
You may have already looked into this, but did you search for Neo4jClient and parameters ? Several questions+answers on that and it seems to be a solution against injection.Tom Geudens
I've seen many answers on how to safely search for property values, using .WithParam(), but I haven't seen any solution for safely specifying a property key in a search.Stephen Belden

1 Answers

1
votes

If you don't want string building/concatenation, you can use nodes and relationships as map of properties during queries. For example :

:param prop: "login"
:param login: "ikwattro"

-

MATCH (n:User) WHERE n[$prop] = $login RETURN n

Which will work, however you will use index usage :/

I believe though that your application should not allow the user to enter anything he wants, you have the ability to have lot of informations about your schema with the built-in procedures and you can then compare the user input with a list of possible values.

If this is not the user entering the property keys, then there is no issue of using string concatenation.