Modify rule S3649: Add Neo4j example (#3911)

* Add neo4j * Rename Neo4j to Spring Data Neo4j --------- Co-authored-by: Thomas Serre <118730793+thomas-serre-sonarsource@users.noreply.github.com>
2024-07-11 08:53:54 +02:00 · 2024-07-11 08:53:54 +02:00 · 4a50193c56
commit 4a50193c56
parent d9da9fbcd4
3 changed files with 58 additions and 0 deletions
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@ -49,6 +49,7 @@
 * Spring
 * Spring Data Cassandra
 * Spring Data Redis
+* Spring Data Neo4j
 * SQLCipher
 * Thymeleaf
 // JS
--- a/rules/S3649/java/how-to-fix-it/spring-data-neo4j.adoc
+++ b/rules/S3649/java/how-to-fix-it/spring-data-neo4j.adoc
@ -0,0 +1,55 @@
+== How to fix it in Spring Data Neo4j
+
+=== Code examples
+
+The following code is vulnerable to Cypher injection because user-controlled data
+is inserted directly into a query string. The application assumes that incoming
+data always has a specific range of characters, and ignores that some characters
+may change the query logic to a malicious one.
+
+==== Noncompliant code example
+
+[source,java,diff-id=41,diff-type=noncompliant]
+----
+import org.springframework.data.neo4j.core.Neo4jTemplate;
+
+@RestController
+public class ApiController
+{
+    private final Neo4jTemplate neo4jTemplate;
+
+    @GetMapping("/find")
+    public List<Person> find(@RequestParam("name") String name) {
+        String cypherQuery = "MATCH (n:Person) WHERE n.name = '" + name + "' RETURN n";
+        return neo4jTemplate.findAll(cypherQuery, Person.class);
+    }
+}
+----
+
+==== Compliant solution
+
+[source,java,diff-id=41,diff-type=compliant]
+----
+import org.springframework.data.neo4j.core.Neo4jTemplate;
+
+@RestController
+public class ApiController
+{
+    private final Neo4jTemplate neo4jTemplate;
+
+    @GetMapping("/find")
+    public List<Person> find(@RequestParam("name") String name) {
+        String cypherQuery = "MATCH (n:Person) WHERE n.name = $name RETURN n";
+        var parameters = new HashMap<String, Object>();
+        parameters.put("name", name);
+        return neo4jTemplate.findAll(cypherQuery, parameters, Person.class);
+    }
+}
+----
+
+=== How does this work?
+
+As a rule of thumb, the best approach to protect against injections is to
+systematically ensure that untrusted data cannot break out of an interpreted
+context. For Neo4j, parameterized queries can securely and efficiently supply
+dynamic values to the query at the time of execution.
--- a/rules/S3649/java/rule.adoc
+++ b/rules/S3649/java/rule.adoc
@ -14,6 +14,8 @@ include::how-to-fix-it/spring-jdbc.adoc[]

 include::how-to-fix-it/hibernate.adoc[]

+include::how-to-fix-it/spring-data-neo4j.adoc[]
+
 == Resources

 include::../common/resources/docs.adoc[]