Securing extensions
Neo4j can be extended by writing custom code which can be invoked directly from Cypher, as described in Java Reference → User-defined procedures and Java Reference → User-defined functions. This page describes how to ensure the security of these additions.
Allow listing
Allow listing can be used to allow the loading of only a few extensions from a larger library. It is recommended to load extensions using the principle of least privilege. This principle dictates that you only load the procedures and functions necessary to execute your queries.
The configuration setting dbms.security.procedures.allowlist
is used to name certain procedures and functions that should be available from a library.
It defines a comma-separated list of procedures and functions that are to be loaded.
The list may contain both fully qualified procedure names, and partial names with the wildcard *
.
In this example, we need to allow the use of the method apoc.load.json
as well as all the methods under apoc.coll
.
We do not want to make available any additional extensions from the apoc
library, other than the ones matching these criteria.
# Example allow listing
dbms.security.procedures.allowlist=apoc.coll.*,apoc.load.json
There are a few things that should be noted about dbms.security.procedures.allowlist
:
-
If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
|
Unrestricting
For security reasons, procedures and functions that use internal APIs are disabled by default. In this case, it is also recommended to use the principle of least privilege and only unrestrict those procedures and functions which you are certain to use.
Procedures and functions can be unrestricted using the configuration setting dbms.security.procedures.unrestricted
.
It defines a comma-separated list of procedures and functions that are to be unrestricted.
The list may contain both fully qualified procedure and function names, and partial names with the wildcard (*
) expression.
In this example, we need to unrestict the use of the procedures apoc.cypher.runFirstColumn
and apoc.cypher.doIt
.
# Example unrestricting
dbms.security.procedures.unrestricted=apoc.cypher.runFirstColumn,apoc.cypher.doIt