Example 56 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_positional_injection_11.
@Test(expected = ARQException.class)
public void test_param_string_positional_injection_11() {
// This is a variant on placing a variable bound to a literal inside a
// literal resulting in an injection, we are now able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ? \" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 57 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_01.
@Test(expected = ARQException.class)
public void test_param_string_injection_01() {
// This injection is prevented by forbidding the > character in URIs
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 58 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_15.
@Test(expected = ARQException.class)
public void test_param_string_injection_15() {
// This injection attempt tries to chain together injections to achieve
// an attack, the first injection appears innocuous and is an attempt to
// set up an actual injection vector
// Since we not check out delimiters we are not able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "a");
pss.setLiteral("var2", "b");
// Figure out which variable will be injected first
@SuppressWarnings("deprecation") String first = pss.getVars().next();
String second = first.equals("var") ? "var2" : "var";
pss.setLiteral(first, " ?" + second + " ");
pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 59 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_positional_injection_12.
@Test(expected = ARQException.class)
public void test_param_string_positional_injection_12() {
// This is a variant on placing a variable bound to a literal inside a
// literal resulting in an injection, we are now able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ? other text\" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 60 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_06.
@Test(expected = ARQException.class)
public void test_param_string_injection_06() {
// This injection attempt is prevented by forbidding injection to a
// variable parameter immediately surrounded by quotes
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Aggregations
UpdateRequest (org.apache.jena.update.UpdateRequest)71
Test (org.junit.Test)46
UpdateProcessRemoteBase (org.apache.jena.sparql.modify.UpdateProcessRemoteBase)13
UpdateProcessor (org.apache.jena.update.UpdateProcessor)7
Node (org.apache.jena.graph.Node)6
RDFNode (org.apache.jena.rdf.model.RDFNode)5
HashMap (java.util.HashMap)4
UpdateBuilder (org.apache.jena.arq.querybuilder.UpdateBuilder)4
Resource (org.apache.jena.rdf.model.Resource)4
AuthScope (org.apache.http.auth.AuthScope)3
Dataset (org.apache.jena.query.Dataset)3
QueryParseException (org.apache.jena.query.QueryParseException)3
Model (org.apache.jena.rdf.model.Model)3
IOException (java.io.IOException)2
SQLException (java.sql.SQLException)2
SQLFeatureNotSupportedException (java.sql.SQLFeatureNotSupportedException)2
Map (java.util.Map)2
ServletOutputStream (javax.servlet.ServletOutputStream)2
CmdException (jena.cmd.CmdException)2
HttpClient (org.apache.http.client.HttpClient)2
