Bug: AgeGraphService has insufficient Cypher injection prevention

[Brad-Edwards]

Description

AgeGraphService.escapeCypher() only escapes backslashes and single quotes, but Cypher injection can involve other characters. All queries use String.format with interpolated values rather than parameterized queries.

Additionally, the depth parameter from GraphController is interpolated directly into Cypher queries without bounds validation. A malicious client could pass depth=999999 to trigger extremely expensive graph traversals.

Current behavior:

private String escapeCypher(String input) {
    return input.replace("\\", "\\\\").replace("'", "\\'");
}

Queries use: String.format("... WHERE v.uid = '%s' ...", escapeCypher(uid))

Expected behavior:

• Use parameterized queries where Apache AGE supports them
• Where parameterization is not possible (AGE limitation), document the risk and add comprehensive escaping
• Validate and bound the depth parameter

Location: AgeGraphService.java

Traced Requirements

• GC-G001: Ancestor-Descendant Traversal
• GC-G004: Apache AGE Materialization

Impact

Security — potential Cypher injection. Performance — unbounded depth can cause DoS.