Refine search
@Test public void test_param_string_positional_non_injection_01() { // This test checks that a legitimate injection of a literal to a // variable that occurs between two other literals is permitted // Btw this is not a valid query but it serves to illustrate the case String str = "SELECT * { \"subject\" ? \"object\" . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral(0, "predicate"); pss.toString(); }
@Test public void test_param_string_non_injection_01() { // This test checks that a legitimate injection of a literal to a // variable that occurs between two other literals is permitted // Btw this is not a valid query but it serves to illustrate the case String str = "SELECT * { \"subject\" ?var \"object\" . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setLiteral("var", "predicate"); pss.toString(); }
@Test public void test_empty_list() { // Tests two values for same variable. String str = "SELECT * WHERE { VALUES (?o) {?objs} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); List<RDFNode> objs = new ArrayList<>(); pss.setValues("objs", objs); String exp = "SELECT * WHERE { VALUES (?o) {} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test(expected = ARQException.class) public void test_set_values_multiple_variables_too_few() { // Test of one value for two variables. String str = "SELECT * WHERE { VALUES (?p ?o) {?vars} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); List<RDFNode> vars = new ArrayList<>(); vars.add(ResourceFactory.createProperty("http://example.org/prop_A")); pss.setValues("vars", vars); pss.toString(); Assert.fail("Attempt to insert incorrect number of values."); }
@Test(expected = ARQException.class) public void test_set_values_multiple_variables_too_many() { // Test of three values for two variables. String str = "SELECT * WHERE { VALUES (?p ?o) {?vars} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); List<RDFNode> vars = new ArrayList<>(); vars.add(ResourceFactory.createProperty("http://example.org/prop_A")); vars.add(ResourceFactory.createPlainLiteral("obj_A")); vars.add(ResourceFactory.createPlainLiteral("obj_A")); pss.setValues("vars", vars); pss.toString(); Assert.fail("Attempt to insert incorrect number of values."); }
@Test public void test_set_values_items_parenthesis() { // Tests two values for same variable. String str = "SELECT * WHERE { VALUES (?o) {?objs} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); List<RDFNode> objs = new ArrayList<>(); objs.add(ResourceFactory.createPlainLiteral("obj_A")); objs.add(ResourceFactory.createPlainLiteral("obj_B")); pss.setValues("objs", objs); String exp = "SELECT * WHERE { VALUES (?o) {(\"obj_A\") (\"obj_B\")} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_set_values_multiple_variables() { // Tests two values for same variable. String str = "SELECT * WHERE { VALUES (?p ?o) {?vars} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); List<RDFNode> vars = new ArrayList<>(); vars.add(ResourceFactory.createProperty("http://example.org/prop_A")); vars.add(ResourceFactory.createPlainLiteral("obj_A")); pss.setValues("vars", vars); String exp = "SELECT * WHERE { VALUES (?p ?o) {(<http://example.org/prop_A> \"obj_A\")} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_set_values_item_missing_braces() { // Braces missing so query is unchanged. String str = "SELECT * WHERE { VALUES ?o ?objs ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues("objs", ResourceFactory.createPlainLiteral("test")); String exp = "SELECT * WHERE { VALUES ?o ?objs ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_set_values_item_missing_valueName() { // valueName missing ('props' instead of 'objs') so query is unchanged. String str = "SELECT * WHERE { VALUES ?o {?objs} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues("props", ResourceFactory.createPlainLiteral("test")); String exp = "SELECT * WHERE { VALUES ?o {?objs} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test(expected = ARQException.class) public void test_set_values_uri_injection() { // This injection is prevented by forbidding the > character in URIs String str = "PREFIX : <http://example/>\nSELECT * WHERE { VALUES ?obj {?objVar} <s> <p> ?obj . }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues(str, ResourceFactory.createResource("<http://example.org/obj_A>")); pss.toString(); Assert.fail("Attempt to do SPARQL injection should result in an exception"); }
@Test public void test_set_values_item() { // Tests a single value being added - always adding parenthesis. String str = "SELECT * WHERE { VALUES ?o {?objs} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues("objs", ResourceFactory.createPlainLiteral("test")); String exp = "SELECT * WHERE { VALUES ?o {(\"test\")} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_set_values_item2() { // Tests a single value being added using '$' variable syntax - always adding parenthesis. String str = "SELECT * WHERE { VALUES $o {$objs} $s $p $o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues("objs", ResourceFactory.createPlainLiteral("test")); String exp = "SELECT * WHERE { VALUES $o {(\"test\")} $s $p $o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_set_values_item_missing_values() { // VALUES keyword missing so query is unchanged. String str = "SELECT * WHERE { ?o {?objs} ?s ?p ?o }"; ParameterizedSparqlString pss = new ParameterizedSparqlString(str); pss.setValues("objs", ResourceFactory.createPlainLiteral("test")); String exp = "SELECT * WHERE { ?o {?objs} ?s ?p ?o }"; String res = pss.toString(); //System.out.println("Exp: " + exp); //System.out.println("Res: " + res); Assert.assertEquals(exp, res); }
@Test public void test_param_string_string_1() { // Test regular string injection String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "test"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\" . }", query.toString()); }
@Test public void test_param_string_string_5() { // Test a string with a tab String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "A tabby\tstring"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A tabby\\tstring\" . }", query.toString()); }
@Test public void test_param_string_string_6() { // Test a string with a single quote String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); query.setIri("s", "http://example.org"); query.setIri("p", "http://predicate"); query.setLiteral("o", "A test's test"); Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A test\\'s test\" . }", query.toString()); }