[04/19] jena git commit: ARQ:Query:ParameterizedSparqlString - "validateParameterValue" now performed on all values' items to ensure no injection through ">" in URI. Test added based on existing tests.

[an...@apache.org]

ARQ:Query:ParameterizedSparqlString - "validateParameterValue" now performed on all values' items to ensure no injection through ">" in URI. Test added based on existing tests.

Project: http://git-wip-us.apache.org/repos/asf/jena/repo
Commit: http://git-wip-us.apache.org/repos/asf/jena/commit/93c67800
Tree: http://git-wip-us.apache.org/repos/asf/jena/tree/93c67800
Diff: http://git-wip-us.apache.org/repos/asf/jena/diff/93c67800

Branch: refs/heads/master
Commit: 93c678001479d059989fcc66dbf55125c8f19c6c
Parents: b06b67b
Author: Greg Albiston <gr...@hotmail.com>
Authored: Mon Jul 30 14:45:20 2018 +0100
Committer: Greg Albiston <gr...@hotmail.com>
Committed: Mon Jul 30 14:45:20 2018 +0100

----------------------------------------------------------------------
 .../apache/jena/query/ParameterizedSparqlString.java    |  2 ++
 .../jena/query/TestParameterizedSparqlString.java       | 12 ++++++++++++
 2 files changed, 14 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/jena/blob/93c67800/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
----------------------------------------------------------------------
diff --git a/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java b/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
index 2a71ea9..ab3bfcc 100644
--- a/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
+++ b/jena-arq/src/main/java/org/apache/jena/query/ParameterizedSparqlString.java
@@ -1749,6 +1749,7 @@ public class ParameterizedSparqlString implements PrefixMapping {
      * @param isParenthesisNeeded
      */
     public void setValues(String varName, Collection<? extends RDFNode> items, boolean isParenthesisNeeded) {
+        items.forEach(item -> validateParameterValue(item.asNode()));
         this.valuesReplacements.put(varName, new ValueReplacement(varName, items, isParenthesisNeeded));
     }
 
@@ -1837,6 +1838,7 @@ public class ParameterizedSparqlString implements PrefixMapping {
      * @param items
      */
     public void setGroupedValues(String varName, Collection<List<? extends RDFNode>> items) {
+        items.forEach(collection -> collection.forEach(item -> validateParameterValue(item.asNode())));
         this.valuesReplacements.put(varName, new ValueReplacement(varName, items));
     }
 

http://git-wip-us.apache.org/repos/asf/jena/blob/93c67800/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
----------------------------------------------------------------------
diff --git a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
index fd9b79d..69c50bf 100644
--- a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
+++ b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java
@@ -2058,4 +2058,16 @@ public class TestParameterizedSparqlString {
         //System.out.println("Res: " + res);
         Assert.assertEquals(exp, res);
     }
+
+    @Test(expected = ARQException.class)
+    public void test_set_values_uri_injection() {
+        // This injection is prevented by forbidding the > character in URIs
+        String str = "PREFIX : <http://example/>\nSELECT * WHERE { VALUES ?obj {?objVar} <s> <p> ?obj . }";
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
+        pss.setValues(str, ResourceFactory.createResource("<http://example.org/obj_A>"));
+
+        pss.asQuery();
+        Assert.fail("Attempt to do SPARQL injection should result in an exception");
+    }
+
 }