Examples with UpdateRequest org.apache.jena.update.UpdateRequest used on opensource projects

Example 16 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_14.

@Test
public void test_param_string_positional_injection_14() {
    // This is a variant on placing a variable bound to a literal inside a
    // literal resulting in an injection, we now escape ' so prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> 'some text ? other text' }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#");
    UpdateRequest updates = pss.asUpdate();
    Assert.assertEquals(1, updates.getOperations().size());
}

Example 17 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_15.

@Test
public void test_param_string_positional_injection_15() {
    // This injection attempt tries to chain together injections to achieve
    // an attack, the first injection appears innocuous and is an attempt to
    // set up an actual injection vector
    // Since we not check out delimiters we are not able to detect and
    // prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral(0, " ? ");
    pss.setLiteral(1, " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    // In the positional parameter case this should fail because there
    // is only one eligible positional parameter in the string and we cannot
    // introduce additional ones via chained injection
    Iterator<Integer> params = pss.getEligiblePositionalParameters();
    Assert.assertTrue(params.hasNext());
    params.next();
    Assert.assertFalse(params.hasNext());
    UpdateRequest u = pss.asUpdate();
    Assert.assertEquals(1, u.getOperations().size());
}

Example 18 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_bnode_3.

@Test
public void test_param_string_bnode_3() {
    // Test case related to treatment of blank nodes when injecting into
    // SPARQL updates using _: syntax
    Model model = ModelFactory.createDefaultModel();
    Resource bnode = model.createResource();
    bnode.addProperty(RDF.type, OWL.Thing);
    Assert.assertEquals(1, model.size());
    Dataset ds = DatasetFactory.create(model);
    // Use a parameterized query to check the data can be found
    ParameterizedSparqlString pq = new ParameterizedSparqlString();
    pq.setCommandText("SELECT * WHERE { ?s ?p ?o }");
    pq.setIri("s", "_:" + bnode.getId());
    Query q = pq.asQuery();
    try (QueryExecution qe = QueryExecutionFactory.create(q, ds)) {
        ResultSet rset = qe.execSelect();
        Assert.assertEquals(1, ResultSetFormatter.consume(rset));
    }
    // Use a parameterized update to modify the data
    ParameterizedSparqlString s = new ParameterizedSparqlString();
    s.setCommandText("INSERT { ?o ?p ?s } WHERE { ?s ?p ?o }");
    s.setIri("s", "_:" + bnode.getId());
    UpdateRequest query = s.asUpdate();
    UpdateProcessor proc = UpdateExecutionFactory.create(query, ds);
    proc.execute();
    // This should be true because this was present in the intial model set
    // up
    Assert.assertEquals(1, model.listStatements(bnode, null, (RDFNode) null).toList().size());
    // This should return 0 because the INSERT should result in a new blank
    // node being created rather than the existing one being reused becaue
    // of the semantics of blank nodes usage in templates
    Assert.assertEquals(0, model.listStatements(null, null, bnode).toList().size());
}

Example 19 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_01.

@Test(expected = ARQException.class)
public void test_param_string_positional_injection_01() {
    // This injection is prevented by forbidding the > character in URIs
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?v . }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}

Example 20 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_11.

@Test(expected = ARQException.class)
public void test_param_string_injection_11() {
    // This is a variant on placing a variable bound to a literal inside a
    // literal resulting in an injection, we are now able to detect and
    // prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ?var \" }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}