Block untrusted servers

Author: technige

driver/src/main/java/org/neo4j/driver/internal/handlers/InitResponseHandler.java

@@ -28,6 +28,7 @@
 import org.neo4j.driver.internal.spi.ResponseHandler;
 import org.neo4j.driver.internal.util.ServerVersion;
 import org.neo4j.driver.v1.Value;
+import org.neo4j.driver.v1.exceptions.UntrustedServerException;
 
 import static org.neo4j.driver.internal.async.ChannelAttributes.setServerVersion;
 
@@ -71,11 +72,25 @@ public void onRecord( Value[] fields )
         throw new UnsupportedOperationException();
     }
 
-    private static ServerVersion extractServerVersion( Map<String,Value> metadata )
+    private static ServerVersion extractServerVersion( Map<String,Value> metadata ) throws UntrustedServerException
     {
         Value versionValue = metadata.get( "server" );
-        boolean versionAbsent = versionValue == null || versionValue.isNull();
-        return versionAbsent ? ServerVersion.v3_0_0 : ServerVersion.version( versionValue.asString() );
+        if ( versionValue == null || versionValue.isNull() )
+        {
+            return ServerVersion.v3_0_0;
+        }
+        else
+        {
+            ServerVersion server = ServerVersion.version(versionValue.asString());
+            if ( server.product().equalsIgnoreCase( "Neo4j" ) )
+            {
+                return server;
+            }
+            else
+            {
+                throw new UntrustedServerException( "Server does not identify as a genuine Neo4j instance" );
+            }
+        }
     }
 
     private static void updatePipelineIfNeeded( ServerVersion serverVersion, ChannelPipeline pipeline )

driver/src/main/java/org/neo4j/driver/internal/util/ServerVersion.java

@@ -18,6 +18,7 @@
  */
 package org.neo4j.driver.internal.util;
 
+import java.util.Objects;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -28,28 +29,35 @@
 
 public class ServerVersion
 {
-    public static final ServerVersion v3_5_0 = new ServerVersion( 3, 5, 0 );
-    public static final ServerVersion v3_4_0 = new ServerVersion( 3, 4, 0 );
-    public static final ServerVersion v3_2_0 = new ServerVersion( 3, 2, 0 );
-    public static final ServerVersion v3_1_0 = new ServerVersion( 3, 1, 0 );
-    public static final ServerVersion v3_0_0 = new ServerVersion( 3, 0, 0 );
-    public static final ServerVersion vInDev = new ServerVersion( Integer.MAX_VALUE, Integer.MAX_VALUE, Integer.MAX_VALUE );
+    public static final ServerVersion v3_5_0 = new ServerVersion( "Neo4j", 3, 5, 0 );
+    public static final ServerVersion v3_4_0 = new ServerVersion( "Neo4j", 3, 4, 0 );
+    public static final ServerVersion v3_2_0 = new ServerVersion( "Neo4j", 3, 2, 0 );
+    public static final ServerVersion v3_1_0 = new ServerVersion( "Neo4j", 3, 1, 0 );
+    public static final ServerVersion v3_0_0 = new ServerVersion( "Neo4j", 3, 0, 0 );
+    public static final ServerVersion vInDev = new ServerVersion( "Neo4j", Integer.MAX_VALUE, Integer.MAX_VALUE, Integer.MAX_VALUE );
 
     private static final String NEO4J_IN_DEV_VERSION_STRING = "Neo4j/dev";
     private static final Pattern PATTERN =
-            Pattern.compile( "(Neo4j/)?(\\d+)\\.(\\d+)(?:\\.)?(\\d*)(\\.|-|\\+)?([0-9A-Za-z-.]*)?" );
+            Pattern.compile( "([^/]*)/(\\d+)\\.(\\d+)(?:\\.)?(\\d*)(\\.|-|\\+)?([0-9A-Za-z-.]*)?" );
 
+    private final String product;
     private final int major;
     private final int minor;
     private final int patch;
     private final String stringValue;
 
-    private ServerVersion( int major, int minor, int patch )
+    private ServerVersion( String product, int major, int minor, int patch )
     {
+        this.product = product;
         this.major = major;
         this.minor = minor;
         this.patch = patch;
-        this.stringValue = stringValue( major, minor, patch );
+        this.stringValue = stringValue( product, major, minor, patch );
+    }
+
+    public String product()
+    {
+        return product;
     }
 
     public static ServerVersion version( Driver driver )
@@ -72,6 +80,7 @@ public static ServerVersion version( String server )
             Matcher matcher = PATTERN.matcher( server );
             if ( matcher.matches() )
             {
+                String product = matcher.group( 1 );
                 int major = Integer.valueOf( matcher.group( 2 ) );
                 int minor = Integer.valueOf( matcher.group( 3 ) );
                 String patchString = matcher.group( 4 );
@@ -80,7 +89,7 @@ public static ServerVersion version( String server )
                 {
                     patch = Integer.valueOf( patchString );
                 }
-                return new ServerVersion( major, minor, patch );
+                return new ServerVersion( product, major, minor, patch );
             }
             else if ( server.equalsIgnoreCase( NEO4J_IN_DEV_VERSION_STRING ) )
             {
@@ -103,6 +112,8 @@ public boolean equals( Object o )
 
         ServerVersion that = (ServerVersion) o;
 
+        if ( !product.equals( that.product ) )
+        { return false; }
         if ( major != that.major )
         { return false; }
         if ( minor != that.minor )
@@ -113,10 +124,7 @@ public boolean equals( Object o )
     @Override
     public int hashCode()
     {
-        int result = major;
-        result = 31 * result + minor;
-        result = 31 * result + patch;
-        return result;
+        return Objects.hash(product, major, minor, patch);
     }
 
     public boolean greaterThan(ServerVersion other)
@@ -141,6 +149,10 @@ public boolean lessThanOrEqual(ServerVersion other)
 
     private int compareTo( ServerVersion o )
     {
+        if ( !product.equals( o.product ) )
+        {
+            throw new IllegalArgumentException("Comparing different products");
+        }
         int c = compare( major, o.major );
         if (c == 0)
         {
@@ -160,12 +172,12 @@ public String toString()
         return stringValue;
     }
 
-    private static String stringValue( int major, int minor, int patch )
+    private static String stringValue( String product, int major, int minor, int patch )
     {
         if ( major == Integer.MAX_VALUE && minor == Integer.MAX_VALUE && patch == Integer.MAX_VALUE )
         {
             return NEO4J_IN_DEV_VERSION_STRING;
         }
-        return String.format( "Neo4j/%s.%s.%s", major, minor, patch );
+        return String.format( "%s/%s.%s.%s", product, major, minor, patch );
     }
 }

driver/src/main/java/org/neo4j/driver/v1/exceptions/UntrustedServerException.java

@@ -0,0 +1,12 @@
+package org.neo4j.driver.v1.exceptions;
+
+/**
+ * Thrown if the remote server cannot be verified as Neo4j.
+ */
+public class UntrustedServerException extends RuntimeException
+{
+    public UntrustedServerException(String message)
+    {
+        super(message);
+    }
+}

driver/src/test/java/org/neo4j/driver/internal/TrustedServerProductTest.java

@@ -0,0 +1,29 @@
+package org.neo4j.driver.internal;
+
+import org.junit.jupiter.api.Test;
+import org.neo4j.driver.v1.Config;
+import org.neo4j.driver.v1.GraphDatabase;
+import org.neo4j.driver.v1.exceptions.UntrustedServerException;
+import org.neo4j.driver.v1.util.StubServer;
+
+import static org.hamcrest.core.IsEqual.equalTo;
+import static org.hamcrest.junit.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.neo4j.driver.v1.Logging.none;
+
+public class TrustedServerProductTest
+{
+    private static final Config config = Config.build()
+            .withoutEncryption()
+            .withLogging( none() )
+            .toConfig();
+
+    @Test
+    void shouldRejectConnectionsToNonNeo4jServers() throws Exception
+    {
+        StubServer server = StubServer.start( "untrusted_server.script", 9001 );
+        assertThrows( UntrustedServerException.class, () -> GraphDatabase.driver( "bolt://127.0.0.1:9001", config ));
+        assertThat( server.exitStatus(), equalTo( 0 ) );
+    }
+
+}

driver/src/test/resources/untrusted_server.script

@@ -0,0 +1,4 @@
+!: AUTO RESET
+
+C: INIT "neo4j-java/dev" {"scheme": "none"}
+S: SUCCESS {"server": "AgentSmith/0.0.1"}