Examples with UpdateRequest org.apache.jena.update.UpdateRequest used on opensource projects

Example 21 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_03.

@Test
public void test_param_string_positional_injection_03() {
    // This injection attempt results in a valid update but a failed
    // injection
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral(0, "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>");
    UpdateRequest updates = pss.asUpdate();
    Assert.assertEquals(1, updates.getOperations().size());
}

Example 22 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_injection_09.

@Test
public void test_param_string_injection_09() {
    // This injection attempt using comments results in a valid SPARQL
    // update but a failed injection because the attempt to use comments
    // ends up being a valid string literal within quotes
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral("var", "\" . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#");
    UpdateRequest updates = pss.asUpdate();
    Assert.assertEquals(1, updates.getOperations().size());
}

Example 23 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_02.

@Test(expected = ARQException.class)
public void test_param_string_positional_injection_02() {
    // This injection is prevented by forbidding the > character in URIs
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye");
    UpdateRequest updates = pss.asUpdate();
    Assert.fail("Attempt to do SPARQL injection should result in an exception");
}

Example 24 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class TestParameterizedSparqlString method test_param_string_positional_injection_13.

@Test
public void test_param_string_positional_injection_13() {
    // This is a variant on placing a variable bound to a literal inside a
    // literal resulting in an injection, we now escape ' so prevent this
    String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ' ? ' }";
    ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
    pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#");
    UpdateRequest updates = pss.asUpdate();
    Assert.assertEquals(1, updates.getOperations().size());
}

Example 25 with UpdateRequest

use of org.apache.jena.update.UpdateRequest in project jena by apache.

the class ActionDatasets method setDatasetState.

// Persistent state change.
private static void setDatasetState(String name, Resource newState) {
    boolean committed = false;
    system.begin(ReadWrite.WRITE);
    try {
        String dbName = name;
        if (dbName.startsWith("/"))
            dbName = dbName.substring(1);
        String update = StrUtils.strjoinNL(SystemState.PREFIXES, "DELETE { GRAPH ?g { ?s fu:status ?state } }", "INSERT { GRAPH ?g { ?s fu:status " + FmtUtils.stringForRDFNode(newState) + " } }", "WHERE {", "   GRAPH ?g { ?s fu:name '" + dbName + "' ; ", "                 fu:status ?state .", "   }", "}");
        UpdateRequest req = UpdateFactory.create(update);
        UpdateAction.execute(req, system);
        system.commit();
        committed = true;
    } finally {
        if (!committed)
            system.abort();
        system.end();
    }
}