(from coderabbit:)
⚠️ Potential issue | 🔴 Critical
Eliminate Cypher injection risk and enforce data_source_id isolation
find_nodes_by_path and find_nodes_by_slug interpolate path, slug, and node_type directly into f-string Cypher queries. This creates injection and quoting vulnerabilities—any parameter containing ' or special characters can break the query or enable injection.
Additionally, execute_raw_query() appends only a LIMIT 100 and does not enforce data_source_id scoping, allowing callers to bypass the repository's isolation contract and query across data sources.
Parameterized query support should be added to GraphClientProtocol and AgeGraphClient to pass parameters safely:
- Modify
execute_cypher(query: str, parameters: dict = None)
- Use parameterized binding in the underlying database client (PostgreSQL psycopg2, Neo4j, or AGE equivalents support this)
- In
execute_raw_query(), wrap user queries to enforce data_source_id = :data_source_id constraint
These changes are essential to prevent injection attacks and ensure data isolation.
Originally posted by @coderabbitai[bot] in #21 (comment)
(from coderabbit:)
Eliminate Cypher injection risk and enforce data_source_id isolation
find_nodes_by_pathandfind_nodes_by_sluginterpolatepath,slug, andnode_typedirectly into f-string Cypher queries. This creates injection and quoting vulnerabilities—any parameter containing'or special characters can break the query or enable injection.Additionally,
execute_raw_query()appends only aLIMIT 100and does not enforcedata_source_idscoping, allowing callers to bypass the repository's isolation contract and query across data sources.Parameterized query support should be added to
GraphClientProtocolandAgeGraphClientto pass parameters safely:execute_cypher(query: str, parameters: dict = None)execute_raw_query(), wrap user queries to enforcedata_source_id = :data_source_idconstraintThese changes are essential to prevent injection attacks and ensure data isolation.
Originally posted by @coderabbitai[bot] in #21 (comment)