You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by an...@apache.org on 2018/08/05 15:33:29 UTC
[04/19] jena git commit: ARQ:Query:ParameterizedSparqlString -
"validateParameterValue" now performed on all values' items to ensure no
injection through ">" in URI. Test added based on existing tests.
ARQ:Query:ParameterizedSparqlString - "validateParameterValue" now performed on all values' items to ensure no injection through ">" in URI. Test added based on existing tests.
Project: http://git-wip-us.apache.org/repos/asf/jena/repo
Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/93c67800
Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/93c67800
Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/93c67800
Branch: refs/heads/master
Commit: 93c678001479d059989fcc66dbf55125c8f19c6c
Parents: b06b67b
Author: Greg Albiston <gr...@hotmail.com>
Authored: Mon Jul 30 14:45:20 2018 +0100
Committer: Greg Albiston <gr...@hotmail.com>
Committed: Mon Jul 30 14:45:20 2018 +0100
----------------------------------------------------------------------
.../apache/jena/query/ParameterizedSparqlString.java | 2 ++
.../jena/query/TestParameterizedSparqlString.java | 12 ++++++++++++
2 files changed, 14 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/jena/blob/93c67800/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
----------------------------------------------------------------------
diff --git a/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java b/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
index 2a71ea9..ab3bfcc 100644
--- a/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
+++ b/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
@@ -1749,6 +1749,7 @@ public class ParameterizedSparqlString implements PrefixMapping {
* @param isParenthesisNeeded
*/
public void setValues(String varName, Collection<? extends RDFNode> items, boolean isParenthesisNeeded) {
+ items.forEach(item -> validateParameterValue(item.asNode()));
this.valuesReplacements.put(varName, new ValueReplacement(varName, items, isParenthesisNeeded));
}
@@ -1837,6 +1838,7 @@ public class ParameterizedSparqlString implements PrefixMapping {
* @param items
*/
public void setGroupedValues(String varName, Collection<List<? extends RDFNode>> items) {
+ items.forEach(collection -> collection.forEach(item -> validateParameterValue(item.asNode())));
this.valuesReplacements.put(varName, new ValueReplacement(varName, items));
}
http://git-wip-us.apache.org/repos/asf/jena/blob/93c67800/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
----------------------------------------------------------------------
diff --git a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
index fd9b79d..69c50bf 100644
--- a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
+++ b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
@@ -2058,4 +2058,16 @@ public class TestParameterizedSparqlString {
//System.out.println("Res: " + res);
Assert.assertEquals(exp, res);
}
+
+ @Test(expected = ARQException.class)
+ public void test_set_values_uri_injection() {
+ // This injection is prevented by forbidding the > character in URIs
+ String str = "PREFIX : <http://example/>\nSELECT * WHERE { VALUES ?obj {?objVar} <s> <p> ?obj . }";
+ ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
+ pss.setValues(str, ResourceFactory.createResource("<http://example.org/obj_A>"));
+
+ pss.asQuery();
+ Assert.fail("Attempt to do SPARQL injection should result in an exception");
+ }
+
}