Investigate potential Cypher Injection risk #40
Description
(from coderabbit:)
Eliminate Cypher injection risk and enforce data_source_id isolation
find_nodes_by_path and find_nodes_by_slug interpolate path, slug, and node_type directly into f-string Cypher queries. This creates injection and quoting vulnerabilities—any parameter containing ' or special characters can break the query or enable injection.
Additionally, execute_raw_query() appends only a LIMIT 100 and does not enforce data_source_id scoping, allowing callers to bypass the repository's isolation contract and query across data sources.
Parameterized query support should be added to GraphClientProtocol and AgeGraphClient to pass parameters safely:
- Modify
execute_cypher(query: str, parameters: dict = None) - Use parameterized binding in the underlying database client (PostgreSQL psycopg2, Neo4j, or AGE equivalents support this)
- In
execute_raw_query(), wrap user queries to enforcedata_source_id = :data_source_idconstraint
These changes are essential to prevent injection attacks and ensure data isolation.
Originally posted by @coderabbitai[bot] in #21 (comment)