Add unsafeEscapeOptions

[angrykoala]

Description

Add unsafeEscapeOptions to Neo4jGraphQL features with the following flags:

• disableRelationshipTypeEscaping (default to false)
• disableNodeLabelEscaping (defaults to false)

These flags remove the automatic escaping of node labels and relationship types in the generated Cypher.

For example, given the following schema:

type Actor {
    name: String!
}

type Movie {
    title: String!
    actors: [Actor!]! @relationship(type: "FROM_PRODUCTION]->(:Production)-[:ACTED_IN", direction: OUT)
}

A GraphQL query going through the actors relationship:

query {
    movies {
        title
        actors {
            name
        }
    }
}

Will normally generate the following Cypher for the relationship:

MATCH (this:Movie)-[this0:`FROM_PRODUCTION]->(:Production)-[:ACTED_IN`]->(this1:Actor)

The label FROM_PRODUCTION]->(:Production)-[:ACTED_IN is escaped by placing it inside backticks (```), as some characters in it are susceptible of code injection.

If the option disableRelationshipTypeEscaping is set in Neo4jGraphQL, this safety mechanism will be disabled:

new Neo4jGraphQL({
    typeDefs,
    features: {
        unsafeEscapeOptions: {
            disableRelationshipTypeEscaping: true,
        },
    },
});

Generating the following Cypher instead:

MATCH (this:Movie)-[this0:FROM_PRODUCTION]->(:Production)-[:ACTED_IN]->(this1:Actor)

This can be useful in very custom scenarios where the Cypher needs to be tweaked or if the labels and types have already been escaped.

Warning: This is a safety mechanism to avoid Cypher injection. Changing these options may lead to code injection and an unsafe server.

[changeset-bot]

🦋 Changeset detected

Latest commit: 847e7bd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@neo4j/graphql	Patch
@neo4j/graphql-ogm	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[neo4j-team-graphql]

Performance Report

No Performance Changes

Show Full Table

name	dbHits	old dbHits	time (ms)	old time (ms)	maxRows
aggregations.TopLevelAggregate	3404	3404	39	49	1134
aggregations.TopLevelAggregateWithMultipleFields	6802	6802	50	78	1134
aggregations.NestedAggregation	15407	15407	66	85	2174
aggregations.AggregationWithWhere	10833	10833	43	56	2174
aggregations.AggregationWhereWithinNestedRelationships	20097917	20097917	2154	2265	2008534
aggregations.AggregationWhereWithinNestedConnections	20097917	20097917	2124	2186	2008534
aggregations.NestedCountFromMovieToActors	8603	8603	35	39	2174
aggregations.NestedCountFromActorsToMovie	8791	8791	42	41	2174
aggregations.DeeplyNestedCount	10052335	10052335	2630	2838	2008534
aggregations.InterfacesAggregations	6242	6242	43	67	2080
aggregations.InterfacesAggregationsWithTwoFields	11444	11444	79	101	2080
batch-create.BatchCreate	4200	4200	133	149	600
batch-create.BatchCreateSmall	77	77	60	64	11
connect.createAndConnect	6433	6433	138	188	3003
connections.Connection	12951	12951	59	67	2174
connections.NestedConnection	37705	37705	122	157	4516
create.SimpleMutation	7	7	52	64	1
cypher-directive.TopLevelMutationDirective	1135	1135	26	30	1134
delete.SimpleDelete	19401	19401	811	807	1040
delete.NestedDeleteInUpdate	16844	16844	135	162	1183
2871.NestedRelationshipFilter	19632	19632	59	74	4395
2925.SingleRelationshipFilter	5245	5245	37	47	1040
2925.NestedSingleRelationshipFilter	17641	17641	70	106	2174
2925.SingleRelationshipRequiredFilter	5201	5201	35	50	1040
2925.NestedSingleRelationshipRequiredFilter	9361	9361	53	72	1040
query.SimpleQuery	3121	3121	20	23	1040
query.SimpleQueryWithRelationship	15031	15031	40	46	2174
query.QueryWhere	8564	8564	33	41	2154
query.SimpleQueryWithNestedWhere	8713	8713	46	68	2154
query.Nested	10084891	10084891	6800	6447	2008534
query.NestedWithFilter	10064992	10064992	6328	6484	2004000
query.OrFilterOnRelationships	36646	36451	146	184	1927
query.OrFilterOnRelationshipsAndNested	26635	26486	249	246	1927
query.QueryWithNestedIn	14123	14150	51	63	1841
query.NestedConnectionWhere	8703	8703	54	68	2174
query.DeeplyNestedConnectionWhere	8702	8702	81	96	2174
query.DeeplyNestedWithRelationshipFilters	17357	17357	127	164	1552
query.NestedWithRelationshipSingleFilters	3808	3808	144	198	1134
query.Fulltext	64	64	32	44	16
query.FulltextWithNestedQuery	516	516	43	50	84
sorting-and-cypher.TopLevelSortWithCypher	12961	12961	41	47	2174
sorting-and-cypher.TopLevelConnectionSortWithCypher	12961	12961	63	75	2174
sorting-and-cypher.TopLevelSortWithCypherWithNested	13096	13096	55	64	2174
sorting-and-cypher.TopLevelConnectionSortWithCypherWithNested	13096	13096	92	108	2174
sorting-and-cypher.TopLevelSortWithExpensiveCypher	13715	13725	100	135	2174
sorting-and-cypher.TopLevelConnectionSortWithExpensiveCypher	13266	13266	109	145	2174
sorting.SortMultipleTypes	3436	3436	84	96	1040
sorting.SortMultipleTypesWithCypherWithCypher	13321	13321	115	131	2174
sorting.SortOnNestedFields	12951	12951	42	54	2174
sorting.SortDeeplyNestedFields	39785	39785	76	101	4516
sorting.ConnectionWithSort	3271	3271	74	83	1040
unions.SimpleUnionQuery	321	321	55	63	35
unions.SimpleUnionQueryWithMissingFields	293	293	58	63	35
unions.NestedUnion	309975	309975	305	297	33033
unions.NestedUnionWithMissingFields	283949	283949	262	289	33033
update.NestedUpdate	14137	14137	112	110	2002

Old Schema Generation: 27.675s
Schema Generation: 27.632s
Old Subgraph Schema Generation: 28.524s
Subgraph Schema Generation: 28.348s

[angrykoala]

Following the change in neo4j/cypher-builder#513

Update cypher builder on this PR and update disableLabelEscaping to disableNodeLabelEscaping for consistency

[MacondoExpress]

LGTM!