RBAC Major security flaw #611
Comments
|
@GBrunelli I cannot see anything particular wrong with your query. However when I tried it out myself on a small database containing one (:Embeddable {embedding:[...]}) node I get null back for both columns as expected. Can you share which other privileges the api_reader role has? And do the Embeddable nodes have additional properties on them? Best regards Louise, Neo4j |
|
@GBrunelli Another question, do you happen to have this set in your config file: |
|
Hi! I tried to reproduce this, the only way I can do it is if I give the user boosted function privileges, which overrides denies. As this is expected behaviour, I will close this. Feel free to reopen if you have more information and this is not the reason. Thank you :) |
I'm not sure if I found a major security flaw, or if I did not setup something correctly, but here's the thing:
I added a custom role called 'api_reader', and denied this action for this particular role:
DENY READ {embedding} ON GRAPH neo4j NODE Embeddable TO api_reader
And when I try to read this property as someone with this role, I cannot, as expected.
But when I use apoc.convert.toJson in a node Embeddable, I'm able to read this property, here's an example:
Neo4j version: 5.17.0 enterprise
The text was updated successfully, but these errors were encountered: