Securing extensions
Neo4j can be extended by writing custom code which can be invoked directly from Cypher, as described in Java Reference → User-defined procedures and Java Reference → User-defined functions. This section describes how to ensure the security of these additions.
White listing
White listing can be used to allow the loading of only a few extensions from a larger library.
The configuration setting dbms.security.procedures.whitelist
is used to name certain procedures that should be available from a library.
It defines a comma-separated list of procedures that are to be loaded.
The list may contain both fully-qualified procedure names, and partial names with the wildcard *
.
In this example we wish to allow the use of the method apoc.load.json
as well as all the methods under apoc.coll
.
We do not want to make available any additional extensions from the apoc
library, other than the ones matching these criteria.
# Example white listing
dbms.security.procedures.whitelist=apoc.coll.*,apoc.load.*
There are a few things that should be noted about dbms.security.procedures.whitelist
:
-
If using this setting, no extensions other than those listed will be loaded. In particular, if it is set to the empty string, no extensions will be loaded.
-
The default of the setting is
*
. This means that if you do not explicitly give it a value (or no value), all libraries in the plugins directory will be loaded.