apoc icon indicating copy to clipboard operation
apoc copied to clipboard

Published 20 hours ago verified publisher icon neo4j

RBAC Major security flaw

Open GBrunelli opened this issue 11 months ago • 2 comments

I'm not sure if I found a major security flaw, or if I did not setup something correctly, but here's the thing: I added a custom role called 'api_reader', and denied this action for this particular role:

DENY READ {embedding} ON GRAPH neo4j NODE Embeddable TO api_reader

And when I try to read this property as someone with this role, I cannot, as expected.

But when I use apoc.convert.toJson in a node Embeddable, I'm able to read this property, here's an example:

image

Neo4j version: 5.17.0 enterprise

GBrunelli avatar Mar 23 '24 19:03 GBrunelli