Hi again 
Anything that uses string building is vulnerable to Cypher Injection if no sanitisation is used. For the case with the APOC procedures I suggested here is an example to help you out.
Let’s say you send in a query where you have a parameter “label” (The following query is not very useful, but just for show!)
If the param called label is:
:param label => "Person"
CALL apoc.cypher.doIt(
"MATCH (m:`" + $label +"`)" +
"RETURN m.prop", {})
YIELD value
RETURN value
Then this makes APOC run the query:
MATCH (m:`Person`)
RETURN m.prop
If the param you sent in was using raw user input, and it looked like:
:param label => "Person`) MATCH (a) DETACH DELETE a //"
This runs:
MATCH (m:`Person`) MATCH (a) DETACH DELETE a //RETURN m.prop
Which will delete everything! And comment out the rest of the query (similar to what the article you showed linked).
So, as you can see, it has the same vulnerabilities as normal Cypher. That is why these procedures are not recommended to be used with user input.
These are however useful for using dynamic labels, types or props in cases where the name for those does not come from user input and therefore doesn’t pose the same risk. For example if you provide the Strings yourself as you know what they contain!
APOC provides some sanitisation for procedures where labels/types are directly passed in.
I believe these are found in
- https://neo4j.com/docs/apoc/current/overview/apoc.refactor/
- https://neo4j.com/docs/apoc/current/overview/apoc.schema/
So the only APOC procedures and functions that are safe are ones that directly take a label, type or prop name as input. If it takes a string that is a query, then we can’t do sanitisation on it, making it vulnerable.
Hope this helps