Example 61 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_12.
@Test(expected = ARQException.class)
public void test_param_string_injection_12() {
// This is a variant on placing a variable bound to a literal inside a
// literal resulting in an injection, we are now able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ?var other text\" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 62 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_10.
@Test(expected = ARQException.class)
public void test_param_string_injection_10() {
// This injection attempt tries to chain together injections to achieve
// an attack, the first
// injection appears innocuous and is an attempt to set up an actual
// injection vector
// The injection is prevented because a ?var directly surrounded by
// quotes is always flagged as
// subject to injection because pre-injection validation happens before
// each variable is injected
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "a");
pss.setLiteral("var2", "b");
// Figure out which variable will be injected first
@SuppressWarnings("deprecation") String first = pss.getVars().next();
String second = first.equals("var") ? "var2" : "var";
pss.setLiteral(first, "?" + second);
pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 63 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_07.
@Test(expected = ARQException.class)
public void test_param_string_injection_07() {
// This injection attempt is prevented by forbidding injection of
// variable parameters immediately surrounded by quotes
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?var\" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
Test(org.junit.Test)
Example 64 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestDatasets method setup.
@Before
public void setup() {
UpdateRequest up = UpdateFactory.create(TestDatasets.data);
UpdateProcessor processor = UpdateExecutionFactory.create(up, this.dsg);
processor.execute();
}
Also used :
UpdateRequest(org.apache.jena.update.UpdateRequest)
UpdateProcessor(org.apache.jena.update.UpdateProcessor)
Before(org.junit.Before)
Example 65 with UpdateRequest
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class UpdateValidatorJSON method execute.
public static JsonObject execute(ValidationAction action) {
JsonBuilder obj = new JsonBuilder();
obj.startObject();
final String updateString = getArg(action, paramUpdate);
String updateSyntax = getArgOrNull(action, paramSyntax);
if (updateSyntax == null || updateSyntax.equals(""))
updateSyntax = "SPARQL";
Syntax language = Syntax.lookup(updateSyntax);
if (language == null) {
ServletOps.errorBadRequest("Unknown syntax: " + updateSyntax);
return null;
}
obj.key(jInput).value(updateString);
UpdateRequest request = null;
try {
request = UpdateFactory.create(updateString, "http://example/base/", language);
} catch (QueryParseException ex) {
obj.key(jErrors);
// Errors array
obj.startArray();
obj.startObject();
obj.key(jParseError).value(ex.getMessage());
obj.key(jParseErrorLine).value(ex.getLine());
obj.key(jParseErrorCol).value(ex.getColumn());
obj.finishObject();
obj.finishArray();
// Outer object
obj.finishObject();
return obj.build().getAsObject();
}
formatted(obj, request);
obj.finishObject();
return obj.build().getAsObject();
}
Also used :
JsonBuilder(org.apache.jena.atlas.json.JsonBuilder)
UpdateRequest(org.apache.jena.update.UpdateRequest)
Syntax(org.apache.jena.query.Syntax)
QueryParseException(org.apache.jena.query.QueryParseException)
Aggregations
UpdateRequest (org.apache.jena.update.UpdateRequest)71
Test (org.junit.Test)46
UpdateProcessRemoteBase (org.apache.jena.sparql.modify.UpdateProcessRemoteBase)13
UpdateProcessor (org.apache.jena.update.UpdateProcessor)7
Node (org.apache.jena.graph.Node)6
RDFNode (org.apache.jena.rdf.model.RDFNode)5
HashMap (java.util.HashMap)4
UpdateBuilder (org.apache.jena.arq.querybuilder.UpdateBuilder)4
Resource (org.apache.jena.rdf.model.Resource)4
AuthScope (org.apache.http.auth.AuthScope)3
Dataset (org.apache.jena.query.Dataset)3
QueryParseException (org.apache.jena.query.QueryParseException)3
Model (org.apache.jena.rdf.model.Model)3
IOException (java.io.IOException)2
SQLException (java.sql.SQLException)2
SQLFeatureNotSupportedException (java.sql.SQLFeatureNotSupportedException)2
Map (java.util.Map)2
ServletOutputStream (javax.servlet.ServletOutputStream)2
CmdException (jena.cmd.CmdException)2
HttpClient (org.apache.http.client.HttpClient)2
