Replace insecure native query endpoint with read-only language endpoint

QubitPi · Sep 25, 2024 · 192bb05 · 192bb05
1 parent c01bf20
commit 192bb05
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java b/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java
@@ -33,8 +33,8 @@
 import jakarta.inject.Singleton;
 import jakarta.validation.constraints.NotNull;
 import jakarta.ws.rs.GET;
-import jakarta.ws.rs.POST;
 import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
@@ -86,6 +86,16 @@ public Response healthcheck() {
                 .build();
     }
 
+    @GET
+    @Path("/languages/{language}")
+    public Response getVocabularyByLanguage(@PathParam("language") String language) throws JsonProcessingException {
+        return query(
+                String.format(
+                        "MATCH (t:Term WHERE t.language = %s)-[r]->(d:Definition) RETURN t.name, d.name", language
+                )
+        );
+    }
+
     /**
      * Sends a native Neo4J query.
      *
@@ -109,9 +119,12 @@ public Response healthcheck() {
      * @return The native query response serialized into JSON
      *
      * @throws JsonProcessingException if the {@code body} payload is an invalid JSON
+     *
+     * @deprecated for great security vulnerability.
      */
-    @POST
-    @Path("/query")
+    // @POST
+    // @Path("/query")
+    @Deprecated
     public Response query(@NotNull final String body) throws JsonProcessingException {
         final String query = JSON_MAPPER.readTree(body).get("query").asText();