From 192bb053b5f2bc4ce13eb68979e6936aafda549e Mon Sep 17 00:00:00 2001 From: Jack Date: Wed, 25 Sep 2024 16:06:26 +0800 Subject: [PATCH] Replace insecure native query endpoint with read-only language endpoint --- .../template/web/endpoints/DataServlet.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java b/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java index 44dc0af..ddc72f9 100644 --- a/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java +++ b/src/main/java/com/qubitpi/ws/jersey/template/web/endpoints/DataServlet.java @@ -33,8 +33,8 @@ import jakarta.inject.Singleton; import jakarta.validation.constraints.NotNull; import jakarta.ws.rs.GET; -import jakarta.ws.rs.POST; import jakarta.ws.rs.Path; +import jakarta.ws.rs.PathParam; import jakarta.ws.rs.Produces; import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.Response; @@ -86,6 +86,16 @@ public Response healthcheck() { .build(); } + @GET + @Path("/languages/{language}") + public Response getVocabularyByLanguage(@PathParam("language") String language) throws JsonProcessingException { + return query( + String.format( + "MATCH (t:Term WHERE t.language = %s)-[r]->(d:Definition) RETURN t.name, d.name", language + ) + ); + } + /** * Sends a native Neo4J query. * @@ -109,9 +119,12 @@ public Response healthcheck() { * @return The native query response serialized into JSON * * @throws JsonProcessingException if the {@code body} payload is an invalid JSON + * + * @deprecated for great security vulnerability. */ - @POST - @Path("/query") + // @POST + // @Path("/query") + @Deprecated public Response query(@NotNull final String body) throws JsonProcessingException { final String query = JSON_MAPPER.readTree(body).get("query").asText();