private UpdateRequest testAsUpdate(ParameterizedSparqlString update) { return update.asUpdate(); }
@Test public void test_param_string_injection_03() { // This injection attempt results in a valid update but a failed // injection String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var2", "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_injection_14() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we now escape ' so prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> 'some text ?var other text' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_injection_13() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we now escape ' so prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ' ?var ' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_positional_injection_09() { // This injection attempt using comments results in a valid SPARQL // update but a failed injection because the attempt to use comments // ends up being a valid string literal within quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "\" . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_positional_injection_13() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we now escape ' so prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ' ? ' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_injection_09() { // This injection attempt using comments results in a valid SPARQL // update but a failed injection because the attempt to use comments // ends up being a valid string literal within quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "\" . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_positional_injection_03() { // This injection attempt results in a valid update but a failed // injection String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test public void test_param_string_positional_injection_14() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we now escape ' so prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> 'some text ? other text' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); UpdateRequest updates = pss.asUpdate(); Assert.assertEquals(1, updates.getOperations().size()); }
@Test(expected = ARQException.class) public void test_param_string_injection_06() { // This injection attempt is prevented by forbidding injection to a // variable parameter immediately surrounded by quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_positional_injection_11() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we are now able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ? \" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_08() { // This injection attempt results in an invalid SPARQL update because // you end up with a double quoted literal inside a single quoted // literal String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_12() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we are now able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ?var other text\" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_positional_injection_02() { // This injection is prevented by forbidding the > character in URIs String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_07() { // This injection attempt is prevented by forbidding injection of // variable parameters immediately surrounded by quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?var\" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_11() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we are now able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ?var \" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_01() { // This injection is prevented by forbidding the > character in URIs String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_02() { // This injection is prevented by forbidding the > character in URIs String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_positional_injection_01() { // This injection is prevented by forbidding the > character in URIs String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?v . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_positional_injection_12() { // This is a variant on placing a variable bound to a literal inside a // literal resulting in an injection, we are now able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ? other text\" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }