A study of NoSQL query injection in Neo4j

Query injection refers to a class of attack types that involve the insertion of maliciously crafted query parameters in database query operations, and/or API calls. Although these security issues have been studied extensively in relational databases, the possibility and incidence of injection in NoSQL data stores –which are built around fundamentally different data models– has received less attention. In this article, we present the outcomes of an in-depth investigation of the injection-related risks in the Neo4j graph database and its broader ecosystem. This study is based on (i) an investigation of the distributed execution of parameterized queries, from language-specific client connectors, to communication (Bolt protocol) and execution in Neo4j (in query plans), and (ii) identifying residual injection problems in cases where parameterized, static queries will not suffice. The study involves code-centric data flow investigation of the Neo4j code base, and is complemented with a test suite of injection test cases. We found that (i) the mechanism of query parameterization as promoted by Neo4j is effective in mitigating traditional query injection threats, and (ii) traditional query injection attacks however remain possible when this approach is not adopted, which is realistic for applications that necessarily involve dynamic, run-time query construction (e.g., analytics pipelines).