use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_15.
@Test(expected = ARQException.class)
public void test_param_string_injection_15() {
// This injection attempt tries to chain together injections to achieve
// an attack, the first injection appears innocuous and is an attempt to
// set up an actual injection vector
// Since we not check out delimiters we are not able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "a");
pss.setLiteral("var2", "b");
// Figure out which variable will be injected first
@SuppressWarnings("deprecation") String first = pss.getVars().next();
String second = first.equals("var") ? "var2" : "var";
pss.setLiteral(first, " ?" + second + " ");
pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_positional_injection_12.
@Test(expected = ARQException.class)
public void test_param_string_positional_injection_12() {
// This is a variant on placing a variable bound to a literal inside a
// literal resulting in an injection, we are now able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ? other text\" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_06.
@Test(expected = ARQException.class)
public void test_param_string_injection_06() {
// This injection attempt is prevented by forbidding injection to a
// variable parameter immediately surrounded by quotes
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_12.
@Test(expected = ARQException.class)
public void test_param_string_injection_12() {
// This is a variant on placing a variable bound to a literal inside a
// literal resulting in an injection, we are now able to detect and
// prevent this
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ?var other text\" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
use of org.apache.jena.update.UpdateRequest in project jena by apache.
the class TestParameterizedSparqlString method test_param_string_injection_10.
@Test(expected = ARQException.class)
public void test_param_string_injection_10() {
// This injection attempt tries to chain together injections to achieve
// an attack, the first
// injection appears innocuous and is an attempt to set up an actual
// injection vector
// The injection is prevented because a ?var directly surrounded by
// quotes is always flagged as
// subject to injection because pre-injection validation happens before
// each variable is injected
String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", "a");
pss.setLiteral("var2", "b");
// Figure out which variable will be injected first
@SuppressWarnings("deprecation") String first = pss.getVars().next();
String second = first.equals("var") ? "var2" : "var";
pss.setLiteral(first, "?" + second);
pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
UpdateRequest updates = pss.asUpdate();
Assert.fail("Attempt to do SPARQL injection should result in an exception");
}
Aggregations