7.2. Securing extensions

This section describes how to ensure the security of custom-written additions in Neo4j.

7.2.1. Sandboxing

Neo4j provides sandboxing to ensure that procedures do not perform insecure actions. The sandboxing functionality limits the use of extensions to APIs that either exclusively contain safe operations or contain security checks.

Any attempt to load an extension containing unsupported restricted APIs without naming the procedure as allowed will result in a warning in the security log. The warning will point out that the extension does not have access to the components it is trying to load. Additionally, a mocked procedure will be loaded with the procedure’s name. Calling the mocked procedure will result in an error, saying that the procedure failed to load due to needing more permissions.

The configuration setting dbms.security.procedures.unrestricted is used to explicitly name procedures that should be allowed access to all components. It takes a comma-separated list of procedures. The wildcard character * may be used.

Example 7.20. Sandboxing

The following setting will allow the extension with the name my.extensions.example, as well as those matching the pattern my.procedures.*.

# Example sandboxing
dbms.security.procedures.unrestricted=my.extensions.example,my.procedures.*

7.2.2. White listing

White listing can be used to allow loading only a few extensions from a larger library.

Use the configuration setting dbms.security.procedures.whitelist to name the procedures that should be available from a certain library. It takes a comma-separated list of procedures. The wildcard character * may be used. Note that if using this setting, no extensions other than those listed will be loaded.

Example 7.21. White listing

The following setting will white list the extension with the name my.extensions.example, as well as those matching the pattern my.procedures.*. It will not load any other extensions then the ones listed.

# Example white listing
dbms.security.procedures.whitelist=my.extensions.example,my.procedures.*