You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by rv...@apache.org on 2013/03/28 19:50:50 UTC
svn commit: r1462256 - in /jena/trunk/jena-arq/src:
main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java
Author: rvesse
Date: Thu Mar 28 18:50:50 2013
New Revision: 1462256
URL: http://svn.apache.org/r1462256
Log:
Fix ParameterizedSparqlString to recognize and prevent the SPARQL Injection attack that Andy identified
Modified:
jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java
Modified: jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java?rev=1462256&r1=1462255&r2=1462256&view=diff
==============================================================================
--- jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java (original)
+++ jena/trunk/jena-arq/src/main/java/com/hp/hpl/jena/query/ParameterizedSparqlString.java Thu Mar 28 18:50:50 2013
@@ -32,6 +32,7 @@ import org.apache.jena.iri.IRI;
import com.hp.hpl.jena.datatypes.RDFDatatype;
import com.hp.hpl.jena.graph.Node;
+import com.hp.hpl.jena.graph.NodeFactory;
import com.hp.hpl.jena.rdf.model.Literal;
import com.hp.hpl.jena.rdf.model.Model;
@@ -39,6 +40,7 @@ import com.hp.hpl.jena.rdf.model.ModelFa
import com.hp.hpl.jena.rdf.model.RDFNode;
import com.hp.hpl.jena.shared.PrefixMapping;
import com.hp.hpl.jena.shared.impl.PrefixMappingImpl;
+import com.hp.hpl.jena.sparql.ARQException;
import com.hp.hpl.jena.sparql.serializer.SerializationContext;
import com.hp.hpl.jena.sparql.util.FmtUtils;
import com.hp.hpl.jena.sparql.util.NodeFactoryExtra;
@@ -551,6 +553,16 @@ public class ParameterizedSparqlString i
public String getBaseUri() {
return this.baseUri;
}
+
+ /**
+ * Helper method which does the validation of the parameters
+ * @param n Node
+ */
+ protected void validateParameterValue(Node n) {
+ if (n.isURI()) {
+ if (n.getURI().contains(">")) throw new ARQException("Value for the parameter attempts SQL injection");
+ }
+ }
/**
* Sets the Parameters
@@ -584,6 +596,7 @@ public class ParameterizedSparqlString i
if (index < 0)
throw new IndexOutOfBoundsException();
if (n != null) {
+ this.validateParameterValue(n);
this.positionalParams.put(index, n);
} else {
this.positionalParams.remove(index);
@@ -609,6 +622,7 @@ public class ParameterizedSparqlString i
if (var.startsWith("?") || var.startsWith("$"))
var = var.substring(1);
if (n != null) {
+ this.validateParameterValue(n);
this.params.put(var, n);
} else {
this.params.remove(var);
@@ -660,7 +674,7 @@ public class ParameterizedSparqlString i
* IRI
*/
public void setIri(int index, String iri) {
- this.setParam(index, this.model.createResource(iri));
+ this.setParam(index, NodeFactory.createURI(iri));
}
/**
@@ -676,7 +690,7 @@ public class ParameterizedSparqlString i
* IRI
*/
public void setIri(String var, String iri) {
- this.setParam(var, this.model.createResource(iri));
+ this.setParam(var, NodeFactory.createURI(iri));
}
/**
Modified: jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java
URL: http://svn.apache.org/viewvc/jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java?rev=1462256&r1=1462255&r2=1462256&view=diff
==============================================================================
--- jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java (original)
+++ jena/trunk/jena-arq/src/test/java/com/hp/hpl/jena/query/TestParameterizedSparqlString.java Thu Mar 28 18:50:50 2013
@@ -32,6 +32,7 @@ import com.hp.hpl.jena.rdf.model.Literal
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import com.hp.hpl.jena.shared.impl.PrefixMappingImpl;
+import com.hp.hpl.jena.sparql.ARQException;
import com.hp.hpl.jena.sparql.syntax.Element;
import com.hp.hpl.jena.sparql.syntax.ElementGroup;
import com.hp.hpl.jena.sparql.syntax.ElementPathBlock;
@@ -1267,38 +1268,48 @@ public class TestParameterizedSparqlStri
Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\", ?o . }", query.toString());
}
- @Test(expected=QueryParseException.class)
+ @Test(expected=ARQException.class)
public void test_param_string_injection_01() {
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
UpdateRequest updates = pss.asUpdate();
- Assert.fail("Attempt to do SPARQL injection should result in an unparseable update");
+ Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
- @Test
+ @Test(expected=ARQException.class)
public void test_param_string_injection_02() {
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
+ pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye");
+
+ UpdateRequest updates = pss.asUpdate();
+ Assert.fail("Attempt to do SPARQL injection should result in an exception");
+ }
+
+ @Test
+ public void test_param_string_injection_03() {
+ String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
+ ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var2", "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
UpdateRequest updates = pss.asUpdate();
Assert.assertEquals(1, updates.getOperations().size());
}
- @Test(expected=QueryParseException.class)
- public void test_param_string_injection_03() {
+ @Test(expected=ARQException.class)
+ public void test_param_string_injection_04() {
String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setIri("var2", "hello> . ?s ?p ?o");
Query q = pss.asQuery();
- Assert.fail("Attempt to do SPARQL injection should result in an unparseable query");
+ Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
@Test
- public void test_param_string_injection_04() {
+ public void test_param_string_injection_05() {
String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var2", "hello\" . ?s ?p ?o");