You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by bu...@apache.org on 2013/04/16 02:02:05 UTC
svn commit: r858610 - in /websites/staging/jena/trunk/content: ./
documentation/query/paramertized-sparql-string.html
Author: buildbot
Date: Tue Apr 16 00:02:05 2013
New Revision: 858610
Log:
Staging update by buildbot for jena
Modified:
websites/staging/jena/trunk/content/ (props changed)
websites/staging/jena/trunk/content/documentation/query/paramertized-sparql-string.html
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Tue Apr 16 00:02:05 2013
@@ -1 +1 @@
-1466628
+1468279
Modified: websites/staging/jena/trunk/content/documentation/query/paramertized-sparql-string.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/query/paramertized-sparql-string.html (original)
+++ websites/staging/jena/trunk/content/documentation/query/paramertized-sparql-string.html Tue Apr 16 00:02:05 2013
@@ -165,7 +165,7 @@ may be injected.</p>
<li>Using JDBC style positional parameters</li>
<li>Appending values directly to the command text being built</li>
</ul>
-<p>Variable Parameters</p>
+<h4 id="variable-parameters">Variable Parameters</h4>
<p>Any variable in the command may have a value injected to it, injecting a
value replaces all usages of that variable in the command i.e.
substitutes the variable for a constant, injection is done by textual
@@ -176,7 +176,7 @@ parameter is a single <tt>?</tt> followe
punctuation characters (currently <tt>; , .</tt>). Positional parameters
have a unique index which reflects the order in which they appear in the
string. Positional parameters use a zero based index.</p>
-<p>Buffer Usage</p>
+<h4 id="buffer-usage">Buffer Usage</h4>
<p>Additionally you may use this purely as a <code>StringBuffer</code>
replacement for creating queries since it provides a large variety of
convenience methods for appending things either as-is or as nodes (which
@@ -217,32 +217,16 @@ instance represents is actually valid as
</ol>
<h3 id="sparql-injection-notes">SPARQL Injection Notes</h3>
<p>While this class was in part designed to prevent SPARQL injection it is
-by no means foolproof because it works purely at the textual level. The
-current version of the code addresses some possible attack vectors that
-the developers have identified but we recognize that there are some
-cases that we cannot prevent. In particular you should never surround a
-variable which you intend to replace with double quotes e.g.</p>
-<div class="codehilite"><pre><span class="n">String</span> <span class="n">str</span> <span class="o">=</span> <span class="s">"PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?\" }"</span><span class="p">;</span>
-<span class="n">ParameterizedSparqlString</span> <span class="n">pss</span> <span class="o">=</span> <span class="k">new</span> <span class="n">ParameterizedSparqlString</span><span class="p">(</span><span class="n">str</span><span class="p">);</span>
-</pre></div>
-
-
-<p>While the class will recognize and prevent this as an error this
-protection is trivially defeated by placing some white space around the
-variable definition e.g</p>
-<div class="codehilite"><pre><span class="n">String</span> <span class="n">str</span> <span class="o">=</span> <span class="s">"PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" r \" }"</span><span class="p">;</span>
-<span class="n">ParameterizedSparqlString</span> <span class="n">pss</span> <span class="o">=</span> <span class="k">new</span> <span class="n">ParameterizedSparqlString</span><span class="p">(</span><span class="n">str</span><span class="p">);</span>
-</pre></div>
-
-
-<p>This latter case cannot be easily detected and prevented because we
-can't easily distinguish between a possible injection vulnerability and
-a variable that merely occurs between two literals.</p>
-<p>Therefore, we <b>strongly</b> recommend that users concerned about SPARQL
-Injection attacks perform their own validation on provided parameters
-and test their use of this class to avoid known attack vectors. We also
-recommend that users do not use easily guessable variable names for
-their parameters as these can allow a chained injection attack.</p>
+by no means foolproof because it works purely at the textual level. The current
+version of the code addresses some possible attack vectors that the
+developers have identified but we do not claim to be sufficiently devious to
+have thought of and prevented every possible attack vector.</p>
+<p>Therefore we <strong>strongly</strong> recommend that users concerned about
+ SPARQL Injection attacks perform their own validation on provided parameters
+ and test their use of this class themselves prior to its use in any security
+ conscious deployment. We also recommend that users do not use easily
+ guess-able variable names for their parameters as these can allow a chained
+ injection attack though generally speaking the code should prevent these.</p>
</div>
<div id="footer">