Search in sources :

Example 81 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_15.

@Test(expected = ARQException.class)
public void test_param_string_injection_15() {
    // This injection attempt tries to chain together injections to achieve
    // an attack, the first injection appears innocuous and is an attempt to
    // set up an actual injection vector
    // Since we not check out delimiters we are not able to detect and
    // prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", "a");
    pss.setLiteral("var2", "b");
    // Figure out which variable will be injected first
    @SuppressWarnings("deprecation") String first = pss.getVars().next();
    String second = first.equals("var") ? "var2" : "var";
    pss.setLiteral(first, " ?" + second + " ");
    pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used : UpdateRequest(org.apache.jena.update.UpdateRequest) Test(org.junit.Test)

Example 82 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_12.

@Test(expected = ARQException.class)
public void test_param_string_positional_injection_12() {
    // This is a variant on placing a variable bound to a literal inside a
    // literal resulting in an injection, we are now able to detect and
    // prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ? other text\" }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used : UpdateRequest(org.apache.jena.update.UpdateRequest) Test(org.junit.Test)

Example 83 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_06.

@Test(expected = ARQException.class)
public void test_param_string_injection_06() {
    // This injection attempt is prevented by forbidding injection to a
    // variable parameter immediately surrounded by quotes
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used : UpdateRequest(org.apache.jena.update.UpdateRequest) Test(org.junit.Test)

Example 84 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_12.

@Test(expected = ARQException.class)
public void test_param_string_injection_12() {
    // This is a variant on placing a variable bound to a literal inside a
    // literal resulting in an injection, we are now able to detect and
    // prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ?var other text\" }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used : UpdateRequest(org.apache.jena.update.UpdateRequest) Test(org.junit.Test)

Example 85 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_10.

@Test(expected = ARQException.class)
public void test_param_string_injection_10() {
    // This injection attempt tries to chain together injections to achieve
    // an attack, the first
    // injection appears innocuous and is an attempt to set up an actual
    // injection vector
    // The injection is prevented because a ?var directly surrounded by
    // quotes is always flagged as
    // subject to injection because pre-injection validation happens before
    // each variable is injected
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", "a");
    pss.setLiteral("var2", "b");
    // Figure out which variable will be injected first
    @SuppressWarnings("deprecation") String first = pss.getVars().next();
    String second = first.equals("var") ? "var2" : "var";
    pss.setLiteral(first, "?" + second);
    pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Also used : UpdateRequest(org.apache.jena.update.UpdateRequest) Test(org.junit.Test)

Aggregations

UpdateRequest (org.apache.jena.update.UpdateRequest)130 Test (org.junit.Test)85 DatasetGraph (org.apache.jena.sparql.core.DatasetGraph)20 UpdateProcessor (org.apache.jena.update.UpdateProcessor)14 UpdateProcessRemoteBase (org.apache.jena.sparql.modify.UpdateProcessRemoteBase)13 Model (org.apache.jena.rdf.model.Model)10 Dataset (org.apache.jena.query.Dataset)9 UpdateExecution (org.apache.jena.update.UpdateExecution)9 Node (org.apache.jena.graph.Node)7 RDFNode (org.apache.jena.rdf.model.RDFNode)6 Resource (org.apache.jena.rdf.model.Resource)6 HttpTest (org.apache.jena.fuseki.test.HttpTest)5 URI (java.net.URI)4 HashMap (java.util.HashMap)4 Syntax (org.apache.jena.query.Syntax)4 Context (org.apache.jena.sparql.util.Context)4 AuthScope (org.apache.http.auth.AuthScope)3 Literal (org.apache.jena.rdf.model.Literal)3 Update (org.apache.jena.update.Update)3 StringWriter (java.io.StringWriter)2