Allow read-only Cypher functions in cypher_raw #473
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a demo parser function `{{#cypher_raw: query}}` that executes
read-only Cypher queries and displays the JSON-encoded results.
- Write queries are rejected using CypherQueryFilter
- Output is HTML-escaped and displayed in a code block
- Includes i18n messages for error states
- Adds demo page showing usage
Fixes #451
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Display each query in a syntax-highlighted code block above its execution result so readers can see what query produced what output. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The CypherQueryFilter was blocking all function calls, but built-in Cypher functions like type(), labels(), count() are read-only and safe. Changes: - Allow read-only function calls (type, labels, count, etc.) - Block CALL (stored procedures can have side effects) - Block LOAD (file system access via LOAD CSV) - Add unicode escape normalization to prevent obfuscation attacks - Add comprehensive security tests (55 test cases) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Member
Author
|
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request enhances the cypher_raw parser function by allowing read-only Cypher functions (like type(), labels(), count()) while maintaining security by blocking dangerous operations. The change builds on PR #471 and adds comprehensive security measures including blocking CALL and LOAD operations, and normalizing unicode escape sequences to prevent obfuscation attacks.
Changes:
- Modified
CypherQueryFilterto allow read-only function calls while blocking CALL (stored procedures) and LOAD (file system access) operations - Added unicode escape normalization to prevent obfuscation attacks
- Added 55 comprehensive security test cases covering various attack vectors
- Updated demo page to showcase relationship querying using the
type(r)function - Added parser function tests for the new functionality
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/CypherQueryFilter.php | Added CALL and LOAD to blocked keywords, added unicode escape normalization, simplified logic by removing function call blocking, added null coalescing operators for safety |
| tests/phpunit/CypherQueryFilterTest.php | Converted function call tests from rejection to allowance, added 55 comprehensive security test cases covering write operations, case variations, procedures, file access, unicode obfuscation, and subqueries |
| src/EntryPoints/CypherRawParserFunction.php | New file implementing the parser function with proper HTML escaping and error handling |
| tests/phpunit/EntryPoints/CypherRawParserFunctionTest.php | New comprehensive test file with 6 test cases covering empty queries, write query rejection, valid queries, exceptions, whitespace handling, and XSS prevention |
| src/EntryPoints/NeoWikiHooks.php | Registered the cypher_raw parser function hook |
| i18n/en.json | Added 4 error message translations for the parser function |
| i18n/qqq.json | Added documentation for the 4 new i18n messages |
| i18n/_Magic.php | New file registering the cypher_raw magic word |
| extension.json | Registered ParserFirstCallInit hook and NeoWikiMagic message file |
| DemoData/Page/Main_Page.wikitext | Added link to Cypher demo page |
| DemoData/Page/Cypher.wikitext | New demo page showcasing query examples including the use of type(r) function |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
@JeroenDeDauw I've opened a new pull request, #475, to work on those changes. Once the pull request is ready, I'll request review from you. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Builds on #471 and kept separate for easy review. "Files changed" tab correctly only shows the extra stuff
Reviewed by Jeroen and Claude
The CypherQueryFilter was blocking all function calls, but built-in Cypher functions like
type(),labels(),count()are read-only and safe.Changes
type,labels,count, etc.)CALL(stored procedures can have side effects)LOAD(file system access via LOAD CSV)\u000DCREATEtype(r)Security
The filter now blocks dangerous operations while allowing safe read-only functions:
All 55 security test cases pass, covering obfuscation attempts like unicode escapes, comment hiding, subqueries, and case variations.