/** * Makes a copy of the command text and optionally copies other aspects * * @param copyParams * Whether to copy parameters * @param copyBase * Whether to copy the Base URI * @param copyPrefixes * Whether to copy the prefix mappings * @return Copy of the string */ public ParameterizedSparqlString copy(boolean copyParams, boolean copyBase, boolean copyPrefixes) { ParameterizedSparqlString copy = new ParameterizedSparqlString(this.cmd.toString(), null, (copyBase ? this.baseUri : null), (copyPrefixes ? this.prefixes : null)); if (copyParams) { Iterator<String> vars = this.getVars(); while (vars.hasNext()) { String var = vars.next(); copy.setParam(var, this.getParam(var)); } for (Entry<Integer, Node> entry : this.positionalParams.entrySet()) { copy.setParam(entry.getKey(), entry.getValue()); } } return copy; }
@Test(expected = ARQException.class) public void test_param_string_injection_15() { // This injection attempt tries to chain together injections to achieve // an attack, the first injection appears innocuous and is an attempt to // set up an actual injection vector // Since we not check out delimiters we are not able to detect and // prevent this String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "a"); pss.setLiteral("var2", "b"); // Figure out which variable will be injected first @SuppressWarnings("deprecation") String first = pss.getVars().next(); String second = first.equals("var") ? "var2" : "var"; pss.setLiteral(first, " ?" + second + " "); pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test(expected = ARQException.class) public void test_param_string_injection_10() { // This injection attempt tries to chain together injections to achieve // an attack, the first // injection appears innocuous and is an attempt to set up an actual // injection vector // The injection is prevented because a ?var directly surrounded by // quotes is always flagged as // subject to injection because pre-injection validation happens before // each variable is injected String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "a"); pss.setLiteral("var2", "b"); // Figure out which variable will be injected first @SuppressWarnings("deprecation") String first = pss.getVars().next(); String second = first.equals("var") ? "var2" : "var"; pss.setLiteral(first, "?" + second); pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); pss.asUpdate(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }