Adds load json ssrf mitigation

[ncordon]

What

Uses Neo4j internal option unsupported.dbms.cypher_ip_blocklist, which consists on a list of ip addresses in CDIR notation, i.e. ip + mask for subnets, e.g. 192.167.2.3/8, 192.234.3.123/16. When using the apoc.load.json(url) command, the url will be looked up in a DNS resolver and we will fail if it is on the list of blocked ip addresses.

Why

Users can try to load data from any url (including internal ones), which could expose files the user does not have permissions to see from outside.

[ncordon]

A new 4.4 version of the database needs to be released and substituted here.

[conker84]

@ncordon If we don't use a non snapshot version we aren't able to test the PR in GH can you please change it to 4.4.3?

[ncordon]

The code we need is in 4.4.4, and to release 4.4.4 we are going to need this to be merged on red. The CI of the database will compile the APOC code overriding the version.

So even bumping this, don't expect the CI to pass.

After the database has been released, we can bump here to 4.4.4 and release a new version of APOC.

[ncordon]

This was done without the need to depend on 4.4.4 in the end

[ncordon]

Configuration setting for IP block/allow list

[jakewins]

Shouldn't this check be done in checkReadAllowed, where the other access rules as processed? With the check here, you can still make calls that violate the blocklist using apoc.load.xml, apoc.xml.import, apoc.load.xmlSimple, apoc.load.xls, apoc.cypher.runFiles and so on.

Similarly, we should process the blocklist in checkWriteAllowed, otherwise people can violate the blocklist by sending POST requests and other output network connections?

[jexp]

yes we should not pass the full apoc config through, either just what we need or better like Jake said handle it in the single place where we control the loading.

[jexp]

https://github.com/neo4j-contrib/neo4j-apoc-procedures/blob/4.3/core/src/main/java/apoc/util/FileUtils.java#L142-L241

[jexp]

Also you don't need to pass apocConfig through but use ApocConfig.getConfig().methodCall()

there are already some methods for checking, we can handle the address as part of that.
so you would rather do something like ApocConfig#isIpAllowed(ip) or ApocConfig#isHostNameAllowed(hostname)
need to make sure though to resolve the final hostname properly to ip-address (after all the http-redirects are handled).

https://github.com/neo4j-contrib/neo4j-apoc-procedures/blob/4.3/core/src/main/java/apoc/ApocConfig.java#L250-L262

[conker84]

@ncordon please look at the comments above

[ncordon]

@jexp I have addressed the concern for redirects in a pending PR: https://github.com/neo-technology/neo4j/pull/14171. The logic for the blocking lives in the kernel of the database and here I am reusing the same logic. So once that's merged we should be safe with respect to redirects (I hope).

@conker84 I get the need for checkReadAllowed, but checkWriteAllowed works only with filenames, which this blocklist doesn't include, judging by its signature?

Do we have any situation where we can do a POST to a path in a remote server?

[ncordon]

This has been addressed.

With respect to checkWriteAllowed, we've deemed that change is not necessary as it only affects files. POST requests (load json ones for example) go through the checkReadAllowed.

[jexp]

write list also works with urls e.g. for s3 URLs

[ncordon]

checkWriteAllowed is only used with things that require a physical file I believe:

[conker84]

this should be not necessary
edit. github seems that cutted my review, lemme do that again

[conker84]

@ncordon please look at the comments above

[ncordon]

This is needed now if we want to avoid transitive dependencies that come from the database in 4.4.4

[jexp]

but then we need to take it out when 4.4.4 is out?

[conker84]

@jexp My idea is to keep in 4.4.x so we can cover also older Neo4j versions, and remove it from 5.0

[conker84]

Thank you so much @ncordon