Merge: neo4j: Sanitize the inputs

![](http://imgs.xkcd.com/comics/exploits_of_a_mom.png )
— xkcd

Pull-Request: #930
Reviewed-by: Jean Privat <jean@pryen.org>
Reviewed-by: Alexandre Terrasa <alexandre@moz-code.org>

diff --git a/lib/neo4j/neo4j.nit b/lib/neo4j/neo4j.nit
index efe4f6a..f03e2f0 100644 (file)
--- a/lib/neo4j/neo4j.nit
+++ b/lib/neo4j/neo4j.nit
@@ -124,7 +124,7 @@ class Neo4jClient
                self.cypher_url = root["cypher"].to_s
        end
 
-       fun service_root: Jsonable do return get("{base_url}/db/data")
+       fun service_root: Jsonable do return get(base_url / "db/data")
 
        # Is the connection with the Neo4j server ok?
        fun is_ok: Bool do return service_root isa JsonObject
@@ -260,7 +260,7 @@ class Neo4jClient
        #     assert nodes.has(andres)
        #     assert nodes.has(kate)
        fun nodes_with_label(lbl: String): Array[NeoNode] do
-               var res = get("{base_url}/db/data/label/{lbl}/nodes")
+               var res = get(base_url / "db/data/label/{lbl.to_percent_encoding}/nodes")
                var nodes = new Array[NeoNode]
                for json in res.as(JsonArray) do
                        var obj = json.as(JsonObject)
@@ -287,7 +287,21 @@ class Neo4jClient
        #     assert not nodes.has(kate)
        fun nodes_with_labels(labels: Array[String]): Array[NeoNode] do
                assert not labels.is_empty
-               var res = cypher(new CypherQuery.from_string("MATCH (n:{labels.join(":")}) RETURN n"))
+
+               # Build the query.
+               var buffer = new RopeBuffer
+               buffer.append "match n where \{label_0\} in labels(n)"
+               for i in [1..labels.length[ do
+                       buffer.append " and \{label_{i}\} in labels(n)"
+               end
+               buffer.append " return n"
+               var query = new CypherQuery.from_string(buffer.write_to_string)
+               for i in [0..labels.length[ do
+                       query.params["label_{i}"] = labels[i]
+               end
+
+               # Retrieve the answer.
+               var res = cypher(query)
                var nodes = new Array[NeoNode]
                for json in res.as(JsonObject)["data"].as(JsonArray) do
                        var obj = json.as(JsonArray).first.as(JsonObject)
@@ -527,7 +541,7 @@ abstract class NeoEntity
        private var internal_properties: nullable JsonObject = null
 
        private fun load_properties: JsonObject do
-               var obj = neo.get("{url.to_s}/properties").as(JsonObject)
+               var obj = neo.get(url.to_s / "properties").as(JsonObject)
                internal_properties = obj
                return obj
        end
@@ -612,7 +626,7 @@ class NeoNode
 
        private fun load_labels: Array[String] do
                var labels = new Array[String]
-               var res = neo.get("{url.to_s}/labels")
+               var res = neo.get(url.to_s / "labels")
                if res isa JsonArray then
                        for val in res do labels.add val.to_s
                end
@@ -627,7 +641,7 @@ class NeoNode
 
        private fun load_in_edges: List[NeoEdge] do
                var edges = new List[NeoEdge]
-               var res = neo.get("{url.to_s}/relationships/in").as(JsonArray)
+               var res = neo.get(url.to_s / "relationships/in").as(JsonArray)
                for obj in res do
                        edges.add(new NeoEdge.from_json(neo, obj.as(JsonObject)))
                end
@@ -642,7 +656,7 @@ class NeoNode
 
        private fun load_out_edges: List[NeoEdge] do
                var edges = new List[NeoEdge]
-               var res = neo.get("{url.to_s}/relationships/out")
+               var res = neo.get(url.to_s / "relationships/out")
                for obj in res.as(JsonArray) do
                        edges.add(new NeoEdge.from_json(neo, obj.as(JsonObject)))
                end

diff --git a/tests/test_neo4j.nit b/tests/test_neo4j.nit
index 7ee824c..5575949 100644 (file)
--- a/tests/test_neo4j.nit
+++ b/tests/test_neo4j.nit
@@ -83,7 +83,7 @@ print "{kate["name"].to_s} IS LOVED BY {kate.in_nodes("LOVES").first["name"].to_
 
 print "\n# Test lazy\n"
 
-client = new Neo4jClient("http://localhost:7474")
+client = new Neo4jClient("http://localhost:7474/")
 assert client.is_ok
 
 # Read Andres