You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by rv...@apache.org on 2013/03/28 19:50:50 UTC
svn commit: r1462256 - in /jena/trunk/jena-arq/src: main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java

Author: rvesse
Date: Thu Mar 28 18:50:50 2013
New Revision: 1462256

URL: http://svn.apache.org/r1462256
Log:
Fix ParameterizedSparqlString to recognize and prevent the SPARQL Injection attack that Andy identified

Modified:
    jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
    jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java

Modified: jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java?rev=1462256&r1=1462255&r2=1462256&view=diff
==============================================================================
--- jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java (original)
+++ jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java Thu Mar 28 18:50:50 2013
@@ -32,6 +32,7 @@ import org.apache.jena.iri.IRI;
 
 import com.hp.hpl.jena.datatypes.RDFDatatype;
 import com.hp.hpl.jena.graph.Node;
+import com.hp.hpl.jena.graph.NodeFactory;
 
 import com.hp.hpl.jena.rdf.model.Literal;
 import com.hp.hpl.jena.rdf.model.Model;
@@ -39,6 +40,7 @@ import com.hp.hpl.jena.rdf.model.ModelFa
 import com.hp.hpl.jena.rdf.model.RDFNode;
 import com.hp.hpl.jena.shared.PrefixMapping;
 import com.hp.hpl.jena.shared.impl.PrefixMappingImpl;
+import com.hp.hpl.jena.sparql.ARQException;
 import com.hp.hpl.jena.sparql.serializer.SerializationContext;
 import com.hp.hpl.jena.sparql.util.FmtUtils;
 import com.hp.hpl.jena.sparql.util.NodeFactoryExtra;
@@ -551,6 +553,16 @@ public class ParameterizedSparqlString i
     public String getBaseUri() {
         return this.baseUri;
     }
+    
+    /**
+     * Helper method which does the validation of the parameters
+     * @param n Node
+     */
+    protected void validateParameterValue(Node n) {
+        if (n.isURI()) {
+            if (n.getURI().contains(">")) throw new ARQException("Value for the parameter attempts SQL injection");
+        }
+    }
 
     /**
      * Sets the Parameters
@@ -584,6 +596,7 @@ public class ParameterizedSparqlString i
         if (index < 0)
             throw new IndexOutOfBoundsException();
         if (n != null) {
+            this.validateParameterValue(n);
             this.positionalParams.put(index, n);
         } else {
             this.positionalParams.remove(index);
@@ -609,6 +622,7 @@ public class ParameterizedSparqlString i
         if (var.startsWith("?") || var.startsWith("$"))
             var = var.substring(1);
         if (n != null) {
+            this.validateParameterValue(n);
             this.params.put(var, n);
         } else {
             this.params.remove(var);
@@ -660,7 +674,7 @@ public class ParameterizedSparqlString i
      *            IRI
      */
     public void setIri(int index, String iri) {
-        this.setParam(index, this.model.createResource(iri));
+        this.setParam(index, NodeFactory.createURI(iri));
     }
 
     /**
@@ -676,7 +690,7 @@ public class ParameterizedSparqlString i
      *            IRI
      */
     public void setIri(String var, String iri) {
-        this.setParam(var, this.model.createResource(iri));
+        this.setParam(var, NodeFactory.createURI(iri));
     }
 
     /**

Modified: jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java?rev=1462256&r1=1462255&r2=1462256&view=diff
==============================================================================
--- jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java (original)
+++ jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java Thu Mar 28 18:50:50 2013
@@ -32,6 +32,7 @@ import com.hp.hpl.jena.rdf.model.Literal
 import com.hp.hpl.jena.rdf.model.Resource;
 import com.hp.hpl.jena.rdf.model.ResourceFactory;
 import com.hp.hpl.jena.shared.impl.PrefixMappingImpl;
+import com.hp.hpl.jena.sparql.ARQException;
 import com.hp.hpl.jena.sparql.syntax.Element;
 import com.hp.hpl.jena.sparql.syntax.ElementGroup;
 import com.hp.hpl.jena.sparql.syntax.ElementPathBlock;
@@ -1267,38 +1268,48 @@ public class TestParameterizedSparqlStri
         Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\", ?o . }", query.toString());
     }
 
-    @Test(expected=QueryParseException.class)
+    @Test(expected=ARQException.class)
     public void test_param_string_injection_01() {
         String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
         ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
         pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
         
         UpdateRequest updates = pss.asUpdate();
-        Assert.fail("Attempt to do SPARQL injection should result in an unparseable update");
+        Assert.fail("Attempt to do SPARQL injection should result in an exception");
     }
     
-    @Test
+    @Test(expected=ARQException.class)
     public void test_param_string_injection_02() {
         String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
         ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
+        pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye");
+        
+        UpdateRequest updates = pss.asUpdate();
+        Assert.fail("Attempt to do SPARQL injection should result in an exception");
+    }
+    
+    @Test
+    public void test_param_string_injection_03() {
+        String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
+        ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
         pss.setLiteral("var2", "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
         
         UpdateRequest updates = pss.asUpdate();
         Assert.assertEquals(1, updates.getOperations().size());
     }
     
-    @Test(expected=QueryParseException.class)
-    public void test_param_string_injection_03() {
+    @Test(expected=ARQException.class)
+    public void test_param_string_injection_04() {
         String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }";
         ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
         pss.setIri("var2", "hello> . ?s ?p ?o");
         
         Query q = pss.asQuery();
-        Assert.fail("Attempt to do SPARQL injection should result in an unparseable query");
+        Assert.fail("Attempt to do SPARQL injection should result in an exception");
     }
     
     @Test
-    public void test_param_string_injection_04() {
+    public void test_param_string_injection_05() {
         String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }";
         ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
         pss.setLiteral("var2", "hello\" . ?s ?p ?o");