public static String getAllTriplesOfContext(URL context) throws IOException { String query = new String("SELECT ?x ?y ?z \n" + "FROM ?context \n" + "WHERE {?x ?y ?z}"); ParameterizedSparqlString queryString = new ParameterizedSparqlString( query); queryString.setIri("?context", context); return queryString.toString(); }
@Test public void test_param_string_string_1() { // Test regular string injection String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "test"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\" . }", query.toString()); }
@Test public void test_param_string_bug_03() { // Tests a bug reported with setting literals String str = "SELECT * WHERE { ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("o", "has$5sign"); pss.toString(); }
@Test public void test_param_string_constructor_2() { // Test constructor with null command - null command should map to empty // command automagically ParameterizedSparqlString query = new ParameterizedSparqlString((String) null); Assert.assertEquals("", query.getCommandText()); }
@Test public void test_param_string_iri_4() { // Test simple injection String cmdText = "SELECT * WHERE { ?s ?p ?o . ?s a ?type }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); test(query, new String[] { "<http://example.org>" }, new String[] { "?s" }); }
@Test public void test_param_string_constructor_3() { // Test constructor with base URI ParameterizedSparqlString query = new ParameterizedSparqlString("", "http://example.org"); Assert.assertEquals("http://example.org", query.getBaseUri()); }
@Test public void test_param_string_string_5() { // Test a string with a tab String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "A tabby\tstring"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A tabby\\tstring\" . }", query.toString()); }
@Test public void test_param_string_bug_01() { // Tests a bug reported with setting literals String str = "SELECT * WHERE { ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("o", "has$sign"); pss.toString(); }
@Test public void test_param_string_bnode_2() { // Test Blank Node injenction String cmdText = "INSERT { GRAPH <target> { ?node a:p ?o . } } WHERE { ?node a:p ?o . }"; ParameterizedSparqlString update = new ParameterizedSparqlString(cmdText); update.setIri("node", "_:blankNodeID"); test(update, new String[] { "<_:blankNodeID>" }, new String[] { "?node" }); }
@Override public Model getConciseBoundedDescription(String resource, int depth, boolean withTypesForLeafs) { StringBuilder constructTemplate = new StringBuilder("?s0 ?p0 ?o0 ."); for(int i = 1; i <= depth; i++){ constructTemplate.append("?o").append(i-1).append(" ?p").append(i).append(" ?o").append(i).append(" ."); } StringBuilder triplesTemplate = new StringBuilder("?s0 ?p0 ?o0 ."); for(int i = 1; i <= depth; i++){ triplesTemplate.append("OPTIONAL{").append("?o").append(i-1).append(" ?p").append(i).append(" ?o").append(i).append(" ."); } if(resolveBlankNodes){ triplesTemplate.append("?o").append(depth).append("((!<x>|!<y>)/:sameBlank)* ?x . ?x ?px ?ox .filter(!(?p in (:sameIri, :sameBlank)))"); } for(int i = 1; i <= depth; i++){ triplesTemplate.append("}"); } ParameterizedSparqlString query = new ParameterizedSparqlString("prefix : <http://dl-learner.org/ontology/> " + "CONSTRUCT{" + constructTemplate + "}" + " WHERE {" + triplesTemplate + "}"); query.setIri("s0", resource); System.out.println(query); QueryExecution qe = qef.createQueryExecution(query.toString()); Model cbd = qe.execConstruct(); qe.close(); return cbd; }
@Test public void test_param_string_constructor_1() { // Test empty constructor ParameterizedSparqlString query = new ParameterizedSparqlString(); Assert.assertEquals("", query.getCommandText()); }
@Test public void test_param_string_string_6() { // Test a string with a single quote String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "A test's test"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A test\\'s test\" . }", query.toString()); }
@Test public void test_param_string_non_injection_01() { // This test checks that a legitimate injection of a literal to a // variable that occurs between two other literals is permitted // Btw this is not a valid query but it serves to illustrate the case String str = "SELECT * { \"subject\" ?var \"object\" . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "predicate"); pss.toString(); }
@Test public void test_param_string_bnode_1() { // Test Blank Node injection String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "_:blankNodeID"); test(query, new String[] { "<_:blankNodeID>" }, new String[] { "?s" }); }
/** * Update named graph by first deleting it and afterwards inserting the triples of the new model. * * @param graph named graph to be updated * @param model model that holds triples to set */ public String createUpdateNamedGraphQuery(String graph, Model model) { StringWriter sw = new StringWriter(); RDFDataMgr.write(sw, model, Lang.NTRIPLES); String query = "\nCLEAR GRAPH ?g;\n" + "\nINSERT DATA { GRAPH ?g { " + sw + "}};\n"; ParameterizedSparqlString pps = new ParameterizedSparqlString(); pps.setCommandText(query); pps.setIri("g", graph); return pps.toString(); }
@Test public void test_param_string_positional_eligible_2() { // Test detection of eligible parameters String cmdText = "SELECT * WHERE { ? ? ? . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); Iterator<Integer> iter = pss.getEligiblePositionalParameters(); int count = 0; while (iter.hasNext()) { count++; iter.next(); } Assert.assertEquals(3, count); }
@Test public void test_param_string_string_2() { // Test a string with quotes String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "A \"test\" string"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A \\\"test\\\" string\" . }", query.toString()); }
@Test public void test_param_string_positional_injection_07() { // This injection attempt is prevented by forbidding injection of // variable parameters immediately surrounded by quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?\" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); // In the positional case this does not work because the "?" is not // considered an eligible positional parameter due to the lack of // subsequent white space or punctuation Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); }
@Test public void test_param_string_iri_2() { // Test simple injection String cmdText = "SELECT * WHERE { ?s ?p ?o }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("p", "http://example.org"); test(query, new String[] { "<http://example.org>" }, new String[] { "?p" }); }
public Model retrieveModel(String graphName) { String queryTemplate = "CONSTRUCT { ?s ?p ?o } WHERE { GRAPH ?g { ?s ?p ?o } . }"; ParameterizedSparqlString pps = new ParameterizedSparqlString(); pps.setCommandText(queryTemplate); pps.setIri("g", graphName); Query query = QueryFactory.create(pps.toString()); QueryExecution qexec = QueryExecutionFactory.sparqlService(sparqlEndpoint, query); Model model = qexec.execConstruct(); return model; }