Merge branch 'dev' into 5.x

neo4j · Jun 28, 2024 · 179bb8d · 179bb8d
2 parents 4b5a47f + 2aaad03
commit 179bb8d
Show file tree

Hide file tree

Showing 8 changed files with 419 additions and 302 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+./.github/ @recrwplay
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,19 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    groups:
+      prod-dependencies:
+        dependency-type: "production"
+      dev-dependencies:
+        dependency-type: "development"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
diff --git a/README.adoc b/README.adoc
@@ -64,6 +64,44 @@ It could be omitted as the title already says that it is an experimental feature
 * Avoid the phrase “It is recommended to” when proposing a solution.
 * Capitalize all Cypher keywords, i.e., `MATCH` rather than `match` or `Match`.
 
+[[security-guidelines]]
+=== Security guidelines for writing error messages
+
+* Be informative but not too revealing.
+Error messages should provide enough information for users to understand what went wrong and possibly how to correct it, but they should not disclose sensitive information that could aid an attacker.
+For instance, instead of saying "Invalid username," use "Invalid username or password."
+
+* Avoid technical jargon.
+Use plain language that is easily understandable by all users.
+Avoid technical terms that could confuse users or reveal too much about the underlying architecture.
+
+* Use generic responses for security-related errors.
+For login errors, password validations, or any security-related processes, use generic error messages.
+For example, use "Login failed" instead of specifying whether the username or password was incorrect.
+
+* Do not expose internal information.
+Never reveal information about the internal state of the application, like file paths, database information, or stack traces, as these can provide attackers with clues about potential vulnerabilities.
+Stack traces are safe to have in debug.log but nowhere else.
+
+* Do not use error messages from underlying libraries/dependencies (e.g. Java runtime errors) but always catch the error and throw your own error message. It is safe to reuse error messages only if they are coming from Neo4j, i.e. have a Neo4j status code.
+
+* Guide users towards resolution.
+Where appropriate, guide users on how to rectify the error.
+For instance, if a user inputs an invalid format in a form, the error message should indicate the expected format.
+
+* Log detailed errors for internal use.
+While showing generic error messages to users, log detailed error information internally.
+This will help developers to debug issues without exposing sensitive information to users.
+
+* Regularly review and update error messages to ensure they remain relevant, accurate, and secure.
+
+.Optional further reading
+[TIP]
+====
+* link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Vocabulary_Cheat_Sheet.html[OWASP Cheat Sheet Series: Application Logging Vocabulary Cheat Sheet]
+* link:https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html[OWASP Cheat Sheet Series: Logging Cheat Sheet]
+====
+
 [[error-notification-components]]
 === Error and notification components
 

diff --git a/antora.yml b/antora.yml
@@ -7,6 +7,6 @@ nav:
 asciidoc:
   attributes:
     page-origin-private: false
-    neo4j-version: '5.20'
-    neo4j-version-exact: '5.20.0'
-    neo4j-buildnumber: '5.20'
+    neo4j-version: '5.21'
+    neo4j-version-exact: '5.21.0'
+    neo4j-buildnumber: '5.21'
diff --git a/modules/ROOT/pages/changelogs.adoc b/modules/ROOT/pages/changelogs.adoc
@@ -28,6 +28,7 @@ Neo.ClientNotification.Cluster.CordonedServersExistedDuringAllocation
 [source, status codes, role="noheader"]
 -----
 Neo.ClientNotification.Cluster.NoDatabasesReallocated
+Neo.ClientNotification.Statement.SideEffectVisibility
 -----
 
 == Neo4j 5.13

diff --git a/modules/ROOT/pages/notifications/all-notifications.adoc b/modules/ROOT/pages/notifications/all-notifications.adoc
@@ -1300,7 +1300,7 @@ m|INFORMATION
 m|TOPOLOGY
 |===
 
-.Reallocating databases resulted in no allocation changes 
+.Reallocating databases resulted in no allocation changes
 ====
 Command::
 +
@@ -1310,15 +1310,15 @@ REALLOCATE DATABASES
 ----
 
 Description of the returned code::
-No databases were reallocated. No better allocation is currently possible. 
+No databases were reallocated. No better allocation is currently possible.
 
 
 Example scenarios::
-**Scenario 1:** The cluster is already balanced. 
+**Scenario 1:** The cluster is already balanced.
 For example, when there are three servers, each hosting databases `foo` and `bar`, meaning all databases are allocated to all servers.
 +
 
-**Scenario 2:** The cluster appears unbalanced, but server constraints prevent you from moving to a better, more balanced, allocation. 
+**Scenario 2:** The cluster appears unbalanced, but server constraints prevent you from moving to a better, more balanced, allocation.
 For example, assuming server 1 hosts databases `foo` and `bar`, server 2 hosts only `foo`, and server 3 hosts no databases.
 Then, a better allocation would move `foo` from server 1 to server 3, but if server 3 has the constraint `deniedDatabases:['foo']}`, then the cluster is already balanced subject to this constraint.
 ====
@@ -1339,9 +1339,9 @@ m|INFORMATION
 m|TOPOLOGY
 |===
 
-.Requested topology matched current topology 
+.Requested topology matched current topology
 ====
-The example assumes that you have a cluster with three servers and a database `foo` with a topology of two primaries and one secondary. 
+The example assumes that you have a cluster with three servers and a database `foo` with a topology of two primaries and one secondary.
 
 Command::
 +
@@ -1705,7 +1705,9 @@ Relationship type expression cannot possibly be satisfied. (`R1&R2` can never be
 ====
 
 [#_neo_clientnotification_statement_repeatedrelationshipreference]
-=== Neo.ClientNotification.Statement.RepeatedRelationshipReference
+=== RepeatedRelationshipReference
+
+label:introduced-in-Neo4j-5.5[Introduced in Neo4j 5.5]
 
 .Notification category details
 [cols="<1s,<4"]
@@ -1720,7 +1722,7 @@ m|WARNING
 m|GENERIC
 |===
 
-.Binding a relationship variable more than once (when run on version 5.5 or newer)
+.Binding a relationship variable more than once
 ====
 Query::
 +