The REST API does not sufficiently sanitize inputs. For example, when you perform a node search by CasRN, the following query should work:
https://comptox.ai/api/nodes/Chemical/search?field=xrefCasRN&value=1071-83-6
{
"message": "No results found for user query",
"query": "MATCH (n:Chemical) WHERE n.xrefCasRN = 1071-83-6 RETURN n, id(n);",
"result": {
"records": [],
"summary": {
"query": {
"text": "MATCH (n:Chemical) WHERE n.xrefCasRN = 1071-83-6 RETURN n, id(n);",
"parameters": {}
},
"queryType": "r",
"counters": {
"_stats": {
"nodesCreated": 0,
"nodesDeleted": 0,
"relationshipsCreated": 0,
"relationshipsDeleted": 0,
"propertiesSet": 0,
"labelsAdded": 0,
"labelsRemoved": 0,
"indexesAdded": 0,
"indexesRemoved": 0,
"constraintsAdded": 0,
"constraintsRemoved": 0
},
"_systemUpdates": 0
},
"updateStatistics": {
"_stats": {
"nodesCreated": 0,
"nodesDeleted": 0,
"relationshipsCreated": 0,
"relationshipsDeleted": 0,
"propertiesSet": 0,
"labelsAdded": 0,
"labelsRemoved": 0,
"indexesAdded": 0,
"indexesRemoved": 0,
"constraintsAdded": 0,
"constraintsRemoved": 0
},
"_systemUpdates": 0
},
"plan": false,
"profile": false,
"notifications": [],
"server": {
"address": "165.123.13.192:7687",
"version": "Neo4j/4.4.0",
"protocolVersion": 4.2
},
"resultConsumedAfter": {
"low": 397,
"high": 0
},
"resultAvailableAfter": {
"low": 1,
"high": 0
},
"database": {
"name": "neo4j"
}
}
}
}
Other instances of inputs that fail due to lack of sanitization are likely, but may be challenging to find in the absence of more robust testing and/or user-submitted bug reports.
The REST API does not sufficiently sanitize inputs. For example, when you perform a node search by CasRN, the following query should work:
However, an error is received:
The solution is to appropriately wrap the CasRN in double quotes (e.g.,
n.xrefCasRN = "1071-83-6"), but the API does not do this.Other instances of inputs that fail due to lack of sanitization are likely, but may be challenging to find in the absence of more robust testing and/or user-submitted bug reports.