Sanitize API inputs #37
Description
The REST API does not sufficiently sanitize inputs. For example, when you perform a node search by CasRN, the following query should work:
https://comptox.ai/api/nodes/Chemical/search?field=xrefCasRN&value=1071-83-6
However, an error is received:
{
"message": "No results found for user query",
"query": "MATCH (n:Chemical) WHERE n.xrefCasRN = 1071-83-6 RETURN n, id(n);",
"result": {
"records": [],
"summary": {
"query": {
"text": "MATCH (n:Chemical) WHERE n.xrefCasRN = 1071-83-6 RETURN n, id(n);",
"parameters": {}
},
"queryType": "r",
"counters": {
"_stats": {
"nodesCreated": 0,
"nodesDeleted": 0,
"relationshipsCreated": 0,
"relationshipsDeleted": 0,
"propertiesSet": 0,
"labelsAdded": 0,
"labelsRemoved": 0,
"indexesAdded": 0,
"indexesRemoved": 0,
"constraintsAdded": 0,
"constraintsRemoved": 0
},
"_systemUpdates": 0
},
"updateStatistics": {
"_stats": {
"nodesCreated": 0,
"nodesDeleted": 0,
"relationshipsCreated": 0,
"relationshipsDeleted": 0,
"propertiesSet": 0,
"labelsAdded": 0,
"labelsRemoved": 0,
"indexesAdded": 0,
"indexesRemoved": 0,
"constraintsAdded": 0,
"constraintsRemoved": 0
},
"_systemUpdates": 0
},
"plan": false,
"profile": false,
"notifications": [],
"server": {
"address": "165.123.13.192:7687",
"version": "Neo4j/4.4.0",
"protocolVersion": 4.2
},
"resultConsumedAfter": {
"low": 397,
"high": 0
},
"resultAvailableAfter": {
"low": 1,
"high": 0
},
"database": {
"name": "neo4j"
}
}
}
}
The solution is to appropriately wrap the CasRN in double quotes (e.g., n.xrefCasRN = "1071-83-6"), but the API does not do this.
Other instances of inputs that fail due to lack of sanitization are likely, but may be challenging to find in the absence of more robust testing and/or user-submitted bug reports.