Neo4j Error Records Contain Sensitive Data

[lbrauns]

Description:

BloodHound redacts sensitive information from logged cypher queries by replacing them with $STRIPPED in the logstrings, e.g.:

bloodhound-bloodhound-1  | {"level":"info","query":"match (u1:User {domain: $STRIPPED}), (u2:User {domain: $STRIPPED}) where u1.samaccountname <> $STRIPPED and u1.samaccountname = u2.samaccountname with u2 match p1 = (u2)-[r:MemberOf*1..]->(g:Group) with p1 match p2 = (u2)-[r:MemberOf*1..]->(g:Group) return p1, p2","time":"2023-12-19T12:02:39.893419034Z","message":"Executing user cypher query"}

If a neo4j driver error occurs, the originally stripped information is not replaced in the error record of the neo4j driver (redaction done by me):

bloodhound-bloodhound-1  | {"level":"info","query":"match (u1:User {domain: $STRIPPED}), (u2:User {domain: $STRIPPED}) where u1.samaccountname <> $STRIPPED and u1.samaccountname = u2.samaccountname with u2 match p1 = (u2)-[r:MemberOf*1..]->(g:Group) with p1 match p2 = (u2)-[r:MemberOf*1..]->(g:Group) return p1, p2","time":"2023-12-19T12:02:39.893419034Z","message":"Executing user cypher query"}
bloodhound-bloodhound-1  | {"level":"info","time":"2023-12-19T12:02:39.893514766Z","message":"Cypher query cost is: 21.00. Reduction factor for query is: 4. Available timeout for query is now set to: 7.50 seconds"}
bloodhound-bloodhound-1  | {"level":"warn","time":"2023-12-19T12:02:47.787096395Z","message":"Writing API Error. Status: 500. Message: [{ driver error: Neo4jError: Neo.ClientError.Transaction.TransactionTimedOut (The transaction has been terminated. Retry your operation in a new transaction, and you should see a successful result. The transaction has not completed within the specified timeout (dbms.transaction.timeout). You may want to retry with a longer timeout. ) - query: match (u1:User {domain: \"<DOMAIN1>\"}), (u2:User {domain: \"<DOMAIN2>\"}) where u1.samaccountname <> \"krbtgt\" and u1.samaccountname = u2.samaccountname with u2 match p1 = (u2)-[r:MemberOf*1..]->(g:Group) with p1 match p2 = (u2)-[r:MemberOf*1..]->(g:Group) return p1, p2}]"}

Component(s) Affected:

• UI
• API
• Neo4j
• PostgreSQL
• Data Collector (SharpHound, AzureHound)
• Other (tooling, documentation, etc.)

Steps to Reproduce:

1. Create a cypher query that produces a neo4j error, e.g. by creating a query with higher database cost. Queries with a high db cost have a limited timeout, if the query cannot be completed the error message will contain the domain names.

Expected Behavior:

Sensitive information like domain names should be redacted in all error records.

Actual Behavior:

Sensitive information is not redacted in error records of the neo4j driver.

Screenshots/Code Snippets/Sample Files:

bloodhound-bloodhound-1  | {"level":"info","query":"match (u1:User {domain: $STRIPPED}), (u2:User {domain: $STRIPPED}) where u1.samaccountname <> $STRIPPED and u1.samaccountname = u2.samaccountname with u2 match p1 = (u2)-[r:MemberOf*1..]->(g:Group) with p1 match p2 = (u2)-[r:MemberOf*1..]->(g:Group) return p1, p2","time":"2023-12-19T12:02:39.893419034Z","message":"Executing user cypher query"}
bloodhound-bloodhound-1  | {"level":"info","time":"2023-12-19T12:02:39.893514766Z","message":"Cypher query cost is: 21.00. Reduction factor for query is: 4. Available timeout for query is now set to: 7.50 seconds"}
bloodhound-bloodhound-1  | {"level":"warn","time":"2023-12-19T12:02:47.787096395Z","message":"Writing API Error. Status: 500. Message: [{ driver error: Neo4jError: Neo.ClientError.Transaction.TransactionTimedOut (The transaction has been terminated. Retry your operation in a new transaction, and you should see a successful result. The transaction has not completed within the specified timeout (dbms.transaction.timeout). You may want to retry with a longer timeout. ) - query: match (u1:User {domain: \"<DOMAIN1>\"}), (u2:User {domain: \"<DOMAIN2>\"}) where u1.samaccountname <> \"krbtgt\" and u1.samaccountname = u2.samaccountname with u2 match p1 = (u2)-[r:MemberOf*1..]->(g:Group) with p1 match p2 = (u2)-[r:MemberOf*1..]->(g:Group) return p1, p2}]"}

Environment Information:

BloodHound: latest

Potential Solution (Optional):

Error records need to be parsed for sensitive information before writing them to log or stdout.

Contributor Checklist:

• I have searched the issue tracker to ensure this bug hasn't been reported before or is not already being addressed.
• I have provided clear steps to reproduce the issue.
• I have included relevant environment information details.
• I have attached necessary supporting documents.
• I have checked that any JSON files I am attempting to upload to BloodHound are valid.