Skip to content

Block admin and SHOW keywords in CypherQueryFilter #485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JeroenDeDauw merged 2 commits into from
Jan 30, 2026
Merged

Block admin and SHOW keywords in CypherQueryFilter #485

JeroenDeDauw merged 2 commits into from
Jan 30, 2026

Conversation

@JeroenDeDauw
Copy link
Member

@JeroenDeDauw JeroenDeDauw commented Jan 30, 2026

Fixes #479
Fixes #480

Add SHOW, GRANT, DENY, and REVOKE to the CypherQueryFilter blocklist
to prevent information disclosure and admin operations via userland
Cypher queries.

For a more robust long-term approach, see
#484

Test plan

  • Existing tests still pass (77/77)
  • New parameterized cases for GRANT, DENY, REVOKE, SHOW
  • Dedicated write query test cases with realistic admin/SHOW queries
  • String literal false-positive tests for SHOW and GRANT
  • phpcs clean

🤖 Generated with Claude Code

@JeroenDeDauw @claude
Fixes #479
6af0e38 
Fixes #480

Add SHOW, GRANT, DENY, and REVOKE to the CypherQueryFilter blocklist
to prevent information disclosure and admin operations via userland
Cypher queries.

For a more robust long-term approach, see
#484

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@JeroenDeDauw JeroenDeDauw requested a review from Copilot January 30, 2026 17:13
Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses security vulnerabilities by blocking administrative and information disclosure operations in user-provided Cypher queries. It adds GRANT, DENY, REVOKE, and SHOW keywords to the blocklist to prevent privilege escalation and information leakage via the #cypher_raw parser function.

Changes:

  • Added four new keywords (GRANT, DENY, REVOKE, SHOW) to the CypherQueryFilter blocklist
  • Added comprehensive test coverage including parameterized tests, realistic query examples, and false-positive string literal tests

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/CypherQueryFilter.php Added GRANT, DENY, REVOKE, and SHOW to the WRITE_KEYWORDS constant array to block admin operations and information disclosure queries
tests/phpunit/CypherQueryFilterTest.php Added new keywords to parameterized data provider and comprehensive write query test cases including admin operations (GRANT role, DENY read, REVOKE role) and SHOW commands (SHOW DATABASES, SHOW USERS), with false-positive tests for string literals

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tests/phpunit/CypherQueryFilterTest.php
Comment on lines +366 to +369
yield 'Lowercase grant' => [
"grant role admin to user1",
'Should reject lowercase grant'
];
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding mixed case test coverage for the new admin keywords (DENY, REVOKE) and SHOW, similar to the existing 'Mixed case CrEaTe' test on line 207. This would ensure consistent test coverage across all blocked keywords.

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@JeroenDeDauw JeroenDeDauw Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

Copilot AI mentioned this pull request Jan 30, 2026
Merged
Copy link
Contributor

Copilot AI commented Jan 30, 2026

@JeroenDeDauw I've opened a new pull request, #486, to work on those changes. Once the pull request is ready, I'll request review from you.

@JeroenDeDauw
Add mixed case test coverage for admin and SHOW keywords (#486)
8bb29c5 
* Initial plan

* Add mixed case test coverage for DENY, REVOKE, and SHOW keywords

Co-authored-by: JeroenDeDauw <146040+JeroenDeDauw@users.noreply.github.com>

* Add mixed case test coverage for GRANT keyword for completeness

Co-authored-by: JeroenDeDauw <146040+JeroenDeDauw@users.noreply.github.com>

* Add lowercase test coverage for DENY and REVOKE keywords for consistency

Co-authored-by: JeroenDeDauw <146040+JeroenDeDauw@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: JeroenDeDauw <146040+JeroenDeDauw@users.noreply.github.com>
@JeroenDeDauw JeroenDeDauw merged commit e3d8463 into master Jan 30, 2026
6 checks passed
@JeroenDeDauw JeroenDeDauw deleted the block-admin-cypher-keywords branch January 30, 2026 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Disallow admin keywords in userland cypher queries Disallow SHOW keyword in userland cypher queries

2 participants

@JeroenDeDauw