svn commit: r1468279 - /jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext

[rv...@apache.org]

Author: rvesse
Date: Tue Apr 16 00:01:39 2013
New Revision: 1468279

URL: http://svn.apache.org/r1468279
Log:
Update docs to align with state of the code

Modified:
    jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext

Modified: jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext
URL: http://svn.apache.org/viewvc/jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext?rev=1468279&r1=1468278&r2=1468279&view=diff
==============================================================================
--- jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext (original)
+++ jena/site/trunk/content/documentation/query/paramertized-sparql-string.mdtext Tue Apr 16 00:01:39 2013
@@ -11,7 +11,7 @@ Values may be injected in several ways:
 -   Using JDBC style positional parameters
 -   Appending values directly to the command text being built
 
-Variable Parameters
+#### Variable Parameters
 
 Any variable in the command may have a value injected to it, injecting a
 value replaces all usages of that variable in the command i.e.
@@ -26,7 +26,7 @@ punctuation characters (currently <tt>; 
 have a unique index which reflects the order in which they appear in the
 string. Positional parameters use a zero based index.
 
-Buffer Usage
+#### Buffer Usage
 
 Additionally you may use this purely as a <code>StringBuffer</code>
 replacement for creating queries since it provides a large variety of
@@ -72,28 +72,15 @@ instance represents is actually valid as
 ### SPARQL Injection Notes
 
 While this class was in part designed to prevent SPARQL injection it is
-by no means foolproof because it works purely at the textual level. The
-current version of the code addresses some possible attack vectors that
-the developers have identified but we recognize that there are some
-cases that we cannot prevent. In particular you should never surround a
-variable which you intend to replace with double quotes e.g.
-
-    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?\" }";
-    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
-
-While the class will recognize and prevent this as an error this
-protection is trivially defeated by placing some white space around the
-variable definition e.g
-
-    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" r \" }";
-    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
-
-This latter case cannot be easily detected and prevented because we
-can't easily distinguish between a possible injection vulnerability and
-a variable that merely occurs between two literals.
-
-Therefore, we <b>strongly</b> recommend that users concerned about SPARQL
-Injection attacks perform their own validation on provided parameters
-and test their use of this class to avoid known attack vectors. We also
-recommend that users do not use easily guessable variable names for
-their parameters as these can allow a chained injection attack.
+by no means foolproof because it works purely at the textual level. The current
+version of the code addresses some possible attack vectors that the
+developers have identified but we do not claim to be sufficiently devious to
+have thought of and prevented every possible attack vector.
+
+ Therefore we <strong>strongly</strong> recommend that users concerned about
+ SPARQL Injection attacks perform their own validation on provided parameters
+ and test their use of this class themselves prior to its use in any security
+ conscious deployment. We also recommend that users do not use easily
+ guess-able variable names for their parameters as these can allow a chained
+ injection attack though generally speaking the code should prevent these.
+ 
\ No newline at end of file