/** * Creates new parameter metadata * @param sparqlStr Parameterized SPARQL String * @throws SQLException */ public JenaParameterMetadata(ParameterizedSparqlString sparqlStr) throws SQLException { if (sparqlStr == null) throw new SQLException("Parameterized SPARQL String cannot be null"); this.sparqlStr = sparqlStr; this.paramCount = (int) Iter.count(this.sparqlStr.getEligiblePositionalParameters()); }
/** * Creates new parameter metadata * @param sparqlStr Parameterized SPARQL String * @throws SQLException */ public JenaParameterMetadata(ParameterizedSparqlString sparqlStr) throws SQLException { if (sparqlStr == null) throw new SQLException("Parameterized SPARQL String cannot be null"); this.sparqlStr = sparqlStr; this.paramCount = (int) Iter.count(this.sparqlStr.getEligiblePositionalParameters()); }
@Test public void test_param_string_positional_eligible_2() { // Test detection of eligible parameters String cmdText = "SELECT * WHERE { ? ? ? . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); Iterator<Integer> iter = pss.getEligiblePositionalParameters(); int count = 0; while (iter.hasNext()) { count++; iter.next(); } Assert.assertEquals(3, count); }
@Test public void test_param_string_positional_eligible_1() { // Test detection of eligible parameters String cmdText = "SELECT * WHERE { ?s ?p ? . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); Iterator<Integer> iter = pss.getEligiblePositionalParameters(); int count = 0; while (iter.hasNext()) { count++; iter.next(); } Assert.assertEquals(1, count); }
@Test public void test_param_string_positional_eligible_3() { // Test detection of eligible parameters String cmdText = "SELECT * WHERE { ?s ?p ?; ?p1 ?, ?. }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); Iterator<Integer> iter = pss.getEligiblePositionalParameters(); int count = 0; while (iter.hasNext()) { count++; iter.next(); } Assert.assertEquals(3, count); }
@Test public void test_param_string_positional_injection_07() { // This injection attempt is prevented by forbidding injection of // variable parameters immediately surrounded by quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?\" }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); // In the positional case this does not work because the "?" is not // considered an eligible positional parameter due to the lack of // subsequent white space or punctuation Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); }
@Test public void test_param_string_positional_injection_06() { // This injection attempt is prevented by forbidding injection to a // variable parameter immediately surrounded by quotes String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye"); // In the positional case this does not work because the '?' is not // considered an eligible positional parameter due to the lack of // subsequent white space or punctuation Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); }
@Test public void test_param_string_positional_injection_08() { // This injection attempt results in an invalid SPARQL update because // you end up with a double quoted literal inside a single quoted // literal String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?' }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); // In the positional case this does not work because the '?' is not // considered an eligible positional parameter due to the lack of // subsequent white space or punctuation Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); }
@Test public void test_param_string_positional_injection_15() { // This injection attempt tries to chain together injections to achieve // an attack, the first injection appears innocuous and is an attempt to // set up an actual injection vector // Since we not check out delimiters we are not able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, " ? "); pss.setLiteral(1, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); // In the positional parameter case this should fail because there // is only one eligible positional parameter in the string and we cannot // introduce additional ones via chained injection Iterator<Integer> params = pss.getEligiblePositionalParameters(); Assert.assertTrue(params.hasNext()); params.next(); Assert.assertFalse(params.hasNext()); UpdateRequest u = pss.asUpdate(); Assert.assertEquals(1, u.getOperations().size()); }
@Test public void test_param_string_positional_injection_10() { // This injection attempt tries to chain together injections to achieve // an attack, the first // injection appears innocuous and is an attempt to set up an actual // injection vector // The injection is prevented because a ?var directly surrounded by // quotes is always flagged as // subject to injection because pre-injection validation happens before // each variable is injected String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "?"); pss.setLiteral(1, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); // In the positional parameter case this should fail because there // is only one eligible positional parameter in the string and we cannot // introduce additional ones via chained injection Iterator<Integer> params = pss.getEligiblePositionalParameters(); Assert.assertTrue(params.hasNext()); params.next(); Assert.assertFalse(params.hasNext()); UpdateRequest u = pss.asUpdate(); Assert.assertEquals(1, u.getOperations().size()); }