http://git-wip-us.apache.org/repos/asf/jena/blob/3d70d735/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java ---------------------------------------------------------------------- diff --git a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java index d3a6250..0f07a2a 100644 --- a/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java +++ b/jena-arq/src/test/java/org/apache/jena/query/TestParameterizedSparqlString.java @@ -1,1881 +1,1881 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.jena.query; - -import java.util.Calendar ; -import java.util.Iterator ; -import java.util.TimeZone ; - -import org.apache.jena.datatypes.TypeMapper ; -import org.apache.jena.graph.Node ; -import org.apache.jena.graph.NodeFactory ; -import org.apache.jena.iri.IRIFactory ; -import org.apache.jena.rdf.model.* ; -import org.apache.jena.shared.impl.PrefixMappingImpl ; -import org.apache.jena.sparql.ARQException ; -import org.apache.jena.sparql.syntax.Element ; -import org.apache.jena.sparql.syntax.ElementGroup ; -import org.apache.jena.sparql.syntax.ElementTriplesBlock ; -import org.apache.jena.update.UpdateExecutionFactory ; -import org.apache.jena.update.UpdateProcessor ; -import org.apache.jena.update.UpdateRequest ; -import org.apache.jena.vocabulary.OWL ; -import org.apache.jena.vocabulary.RDF ; -import org.apache.jena.vocabulary.XSD ; -import org.junit.Assert ; -import org.junit.Test ; - -/** - * Tests for the {@link ParameterizedSparqlString} - * - */ -public class TestParameterizedSparqlString { - - private void test(ParameterizedSparqlString query, String[] expected, String[] notExpected) { - // System.out.println("Raw Command:"); - // System.out.println(query.getCommandText()); - String command = query.toString(); - // System.out.println("Injected Command:"); - // System.out.println(command); - for (String x : expected) { - Assert.assertTrue(command.contains(x)); - } - for (String x : notExpected) { - Assert.assertFalse(command.contains(x)); - } - } - - private Query testAsQuery(ParameterizedSparqlString query) { - return query.asQuery(); - } - - private UpdateRequest testAsUpdate(ParameterizedSparqlString update) { - return update.asUpdate(); - } - - @Test - public void test_param_string_constructor_1() { - // Test empty constructor - ParameterizedSparqlString query = new ParameterizedSparqlString(); - Assert.assertEquals("", query.getCommandText()); - } - - @Test - public void test_param_string_constructor_2() { - // Test constructor with null command - null command should map to empty - // command automagically - ParameterizedSparqlString query = new ParameterizedSparqlString((String) null); - Assert.assertEquals("", query.getCommandText()); - } - - @Test - public void test_param_string_constructor_3() { - // Test constructor with base URI - ParameterizedSparqlString query = new ParameterizedSparqlString("", "http://example.org";); - Assert.assertEquals("http://example.org";, query.getBaseUri()); - } - - @Test - public void test_param_string_constructor_4() { - // Test constructor with predefined parameters - QuerySolutionMap map = new QuerySolutionMap(); - Resource r = ResourceFactory.createResource("http://example.org";); - map.add("s", r); - ParameterizedSparqlString query = new ParameterizedSparqlString("", map); - - Assert.assertEquals(r.asNode(), query.getParam("s")); - } - - @Test - public void test_param_string_constructor_5() { - // Test constructor with predefined parameters - variant of constructor - // that does not require command text - QuerySolutionMap map = new QuerySolutionMap(); - Resource r = ResourceFactory.createResource("http://example.org";); - map.add("s", r); - ParameterizedSparqlString query = new ParameterizedSparqlString(map); - - Assert.assertEquals(r.asNode(), query.getParam("s")); - } - - @Test - public void test_param_string_constructor_6() { - // Test constructor with predefined parameters - QuerySolutionMap map = new QuerySolutionMap(); - Resource r = ResourceFactory.createResource("http://example.org";); - map.add("s", r); - Literal l = ResourceFactory.createPlainLiteral("example"); - map.add("o", l); - ParameterizedSparqlString query = new ParameterizedSparqlString("", map); - - Assert.assertEquals(r.asNode(), query.getParam("s")); - Assert.assertEquals(l.asNode(), query.getParam("o")); - } - - @Test - public void test_param_string_constructor_7() { - // Test constructor with predefined parameters - variant of constructor - // that does not require command text - QuerySolutionMap map = new QuerySolutionMap(); - Resource r = ResourceFactory.createResource("http://example.org";); - map.add("s", r); - Literal l = ResourceFactory.createPlainLiteral("example"); - map.add("o", l); - ParameterizedSparqlString query = new ParameterizedSparqlString(map); - - Assert.assertEquals(r.asNode(), query.getParam("s")); - Assert.assertEquals(l.asNode(), query.getParam("o")); - } - - @Test - public void test_param_string_constructor_8() { - // Test constructors with predefined prefixes - PrefixMappingImpl prefixes = new PrefixMappingImpl(); - prefixes.setNsPrefix("ex", "http://example.org";); - ParameterizedSparqlString query = new ParameterizedSparqlString("", prefixes); - - Assert.assertEquals(prefixes.getNsPrefixURI("ex"), query.getNsPrefixURI("ex")); - } - - @Test - public void test_param_string_constructor_9() { - // Test constructors with predefined prefixes - variant of constructor - // that does not require command text - PrefixMappingImpl prefixes = new PrefixMappingImpl(); - prefixes.setNsPrefix("ex", "http://example.org";); - ParameterizedSparqlString query = new ParameterizedSparqlString(prefixes); - - Assert.assertEquals(prefixes.getNsPrefixURI("ex"), query.getNsPrefixURI("ex")); - } - - @Test - public void test_param_string_iri_1() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - - test(query, new String[] { "<http://example.org>" }, new String[] { "?s" }); - } - - @Test - public void test_param_string_iri_2() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("p", "http://example.org";); - - test(query, new String[] { "<http://example.org>" }, new String[] { "?p" }); - } - - @Test - public void test_param_string_iri_3() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("o", "http://example.org";); - - test(query, new String[] { "<http://example.org>" }, new String[] { "?o" }); - } - - @Test - public void test_param_string_iri_4() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o . ?s a ?type }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - - test(query, new String[] { "<http://example.org>" }, new String[] { "?s" }); - } - - @Test - public void test_param_string_iri_5() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - - test(query, new String[] { "<http://example.org>", "<http://predicate>" }, new String[] { "?s", "?p" }); - } - - @Test - public void test_param_string_bnode_1() { - // Test Blank Node injection - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "_:blankNodeID"); - - test(query, new String[] { "<_:blankNodeID>" }, new String[] { "?s" }); - } - - @Test - public void test_param_string_bnode_2() { - // Test Blank Node injenction - String cmdText = "INSERT { GRAPH <target> { ?node a:p ?o . } } WHERE { ?node a:p ?o . }"; - ParameterizedSparqlString update = new ParameterizedSparqlString(cmdText); - update.setIri("node", "_:blankNodeID"); - - test(update, new String[] { "<_:blankNodeID>" }, new String[] { "?node" }); - } - - @Test - public void test_param_string_bnode_3() { - // Test case related to treatment of blank nodes when injecting into - // SPARQL updates using _: syntax - - Model model = ModelFactory.createDefaultModel(); - Resource bnode = model.createResource(); - bnode.addProperty(RDF.type, OWL.Thing); - Assert.assertEquals(1, model.size()); - - Dataset ds = DatasetFactory.create(model); - - // Use a parameterized query to check the data can be found - ParameterizedSparqlString pq = new ParameterizedSparqlString(); - pq.setCommandText("SELECT * WHERE { ?s ?p ?o }"); - pq.setIri("s", "_:" + bnode.getId()); - Query q = pq.asQuery(); - try(QueryExecution qe = QueryExecutionFactory.create(q, ds)) { - ResultSet rset = qe.execSelect(); - Assert.assertEquals(1, ResultSetFormatter.consume(rset)); - } - - // Use a parameterized update to modify the data - ParameterizedSparqlString s = new ParameterizedSparqlString(); - s.setCommandText("INSERT { ?o ?p ?s } WHERE { ?s ?p ?o }"); - s.setIri("s", "_:" + bnode.getId()); - UpdateRequest query = s.asUpdate(); - UpdateProcessor proc = UpdateExecutionFactory.create(query, ds); - proc.execute(); - - // This should be true because this was present in the intial model set - // up - Assert.assertEquals(1, model.listStatements(bnode, null, (RDFNode) null).toList().size()); - // This should return 0 because the INSERT should result in a new blank - // node being created rather than the existing one being reused becaue - // of the semantics of blank nodes usage in templates - Assert.assertEquals(0, model.listStatements(null, null, bnode).toList().size()); - } - - @Test - public void test_param_string_mixed_1() { - // Test simple injection - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", true); - - test(query, new String[] { "<http://example.org>", "<http://predicate>", "true" }, new String[] { "?s", "?p", "?o" }); - } - - @Test - public void test_param_string_string_1() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "test"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\" . }", query.toString()); - } - - @Test - public void test_param_string_string_2() { - // Test a string with quotes - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "A \"test\" string"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A \\\"test\\\" string\" . }", - query.toString()); - } - - @Test - public void test_param_string_string_3() { - // Test a string with a $ - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "Show me the $!"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"Show me the $!\" . }", query.toString()); - } - - @Test - public void test_param_string_string_4() { - // Test a string with a newline - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "A multi\nline string"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A multi\\nline string\" . }", - query.toString()); - } - - @Test - public void test_param_string_string_5() { - // Test a string with a tab - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "A tabby\tstring"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A tabby\\tstring\" . }", query.toString()); - } - - @Test - public void test_param_string_string_6() { - // Test a string with a single quote - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "A test's test"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"A test\\'s test\" . }", query.toString()); - } - - @Test - public void test_param_string_string_7() { - // Test a string with a backslash - String cmdText = "SELECT * WHERE { ?s ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("p", "http://predicate";); - query.setLiteral("o", "test a\\b"); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test a\\\\b\" . }", query.toString()); - } - - @Test - public void test_param_string_boolean_1() { - // Test boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", true); - - // We don't expect #boolean as booleans should be formatted as plain - // literals - test(query, new String[] { "true" }, new String[] { "?o", XSD.xboolean.toString() }); - } - - @Test - public void test_param_string_boolean_2() { - // Test boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", false); - - // We don't expect #boolean as booleans should be formatted as plain - // literals - test(query, new String[] { "false" }, new String[] { "?o", XSD.xboolean.toString() }); - } - - @Test - public void test_param_string_boolean_3() { - // Test invalid boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xboolean.toString())); - - // We expect #boolean as booleans with invalid lexical values should not - // be formatted as plain literals - test(query, new String[] { "xyz", XSD.xboolean.toString() }, new String[] { "?o" }); - } - - @Test - public void test_param_string_boolean_4() { - // Test boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, true); - - // We don't expect #boolean as booleans should be formatted as plain - // literals - test(query, new String[] { "true" }, new String[] { "? ", XSD.xboolean.toString() }); - } - - @Test - public void test_param_string_boolean_5() { - // Test boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, false); - - // We don't expect #boolean as booleans should be formatted as plain - // literals - test(query, new String[] { "false" }, new String[] { "? ", XSD.xboolean.toString() }); - } - - @Test - public void test_param_string_boolean_6() { - // Test invalid boolean injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xboolean.toString())); - - // We expect #boolean as booleans with invalid lexical values should not - // be formatted as plain literals - test(query, new String[] { "xyz", XSD.xboolean.toString() }, new String[] { "? " }); - } - - @Test - public void test_param_string_int_1() { - // Test integer injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", 1234); - - // We don't expect #integer as integers should be formatted as typed - // literals - test(query, new String[] { "1234" }, new String[] { "?o", XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_int_2() { - // Test long integer injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", 3000000000l); - - // We don't expect #integer as integers should be formatted as typed - // literals - test(query, new String[] { "3000000000" }, new String[] { "?o", XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_int_3() { - // Test invalid integer injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.integer.toString())); - - // We do expect #integer as invalid integers should be formatted with - // their type - test(query, new String[] { "xyz", XSD.integer.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_int_4() { - // Test integer injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, 1234); - - // We don't expect #integer as integers should be formatted as typed - // literals - test(query, new String[] { "1234" }, new String[] { "? ", XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_int_5() { - // Test long integer injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, 3000000000l); - - // We don't expect #integer as integers should be formatted as typed - // literals - test(query, new String[] { "3000000000" }, new String[] { "? ", XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_int_6() { - // Test invalid integer injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.integer.toString())); - - // We do expect #integer as invalid integers should be formatted with - // their type - test(query, new String[] { "xyz", XSD.integer.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_1() { - // Test double injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", 123.4); - - // We expect #double as doubles without exponents cannot be formatted as - // plain literals - test(query, new String[] { "123.4", XSD.xdouble.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_2() { - // Test double injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", 123.0e5); - - // We don't expect #double as we expected doubles to be formatted as - // plain literals - test(query, new String[] { "1.23E7" }, new String[] { "?o", XSD.xdouble.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_3() { - // Test invalid double injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xdouble.toString())); - - // We expect #double as invalid doubles cannot be formatted as plain - // literals - test(query, new String[] { "xyz", XSD.xdouble.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_4() { - // Test double injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, 123.4); - - // We expect #double as doubles without exponents cannot be formatted as - // plain literals - test(query, new String[] { "123.4", XSD.xdouble.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_5() { - // Test double injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, 123.0e5); - - // We don't expect #double as we expected doubles to be formatted as - // plain literals - test(query, new String[] { "1.23E7" }, new String[] { "? ", XSD.xdouble.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_double_6() { - // Test invalid double injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xdouble.toString())); - - // We expect #double as invalid doubles cannot be formatted as plain - // literals - test(query, new String[] { "xyz", XSD.xdouble.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_float_1() { - // Test float injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", 123.4f); - - // We expect #float as floats should be formatted as typed literals - test(query, new String[] { "123.4", XSD.xfloat.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_float_2() { - // Test float injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, 123.4f); - - // We expect #float as floats should be formatted as typed literals - test(query, new String[] { "123.4", XSD.xfloat.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_date_1() { - // Test date injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - Calendar dt = Calendar.getInstance(TimeZone.getTimeZone("UTC")); - dt.set(2012, 1, 24, 12, 0, 0); - query.setLiteral("o", dt); - - // We expect #dateTime as dateTime should be formatted as typed literals - test(query, new String[] { "2012-02-24T12:00:00", XSD.dateTime.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_date_2() { - // Test invalid date injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.dateTime.toString())); - - // We expect #dateTime as dateTime should be formatted as typed literals - test(query, new String[] { "xyz", XSD.dateTime.toString() }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_date_3() { - // Test date injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - Calendar dt = Calendar.getInstance(TimeZone.getTimeZone("UTC")); - dt.set(2012, 1, 24, 12, 0, 0); - query.setLiteral(0, dt); - - // We expect #dateTime as dateTime should be formatted as typed literals - test(query, new String[] { "2012-02-24T12:00:00", XSD.dateTime.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_date_4() { - // Test invalid date injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.dateTime.toString())); - - // We expect #dateTime as dateTime should be formatted as typed literals - test(query, new String[] { "xyz", XSD.dateTime.toString() }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_lang_1() { - // Test lang literal injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "hello", "en"); - - test(query, new String[] { "hello", "@en" }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_lang_2() { - // Test lang literal injection - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("o", "bonjour", "fr"); - - test(query, new String[] { "bonjour", "@fr" }, new String[] { "?o" }); - testAsQuery(query); - } - - @Test - public void test_param_string_lang_3() { - // Test lang literal injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "hello", "en"); - - test(query, new String[] { "hello", "@en" }, new String[] { "? " }); - testAsQuery(query); - } - - @Test - public void test_param_string_lang_4() { - // Test lang literal injection - String cmdText = "SELECT * WHERE { ?s ?p ? }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral(0, "bonjour", "fr"); - - test(query, new String[] { "bonjour", "@fr" }, new String[] { "? " }); - testAsQuery(query); - } - - @Test(expected = QueryException.class) - public void test_param_string_bad_1() { - // Test bad input - not a valid query - String cmdText = "Not a query"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - - testAsQuery(query); - } - - @Test(expected = QueryException.class) - public void test_param_string_simple_bad_1() { - // Test bad input - injecting the parameter makes the query invalid - String cmdText = "SELECT ?s WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - - test(query, new String[] { "<http://example.org>" }, new String[] { "?s" }); - testAsQuery(query); - } - - @Test - public void test_param_string_precedence_1() { - // Test simple injection precedence - // Setting parameter multiple times just overrides the existing setting - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setIri("s", "http://alternate.org";); - - test(query, new String[] { "<http://alternate.org>" }, new String[] { "?s", "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_precedence_2() { - // Test simple injection precedence - // Setting parameter multiple times just overrides the existing setting - String cmdText = "SELECT * WHERE { ? ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri(0, "http://example.org";); - query.setIri(0, "http://alternate.org";); - - test(query, new String[] { "<http://alternate.org>" }, new String[] { "? ", "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_name_collision_1() { - // Test name collision - // The parameter we inject has a name which is a prefix of another - // variable name, only the - // actual name should be injected to - String cmdText = "SELECT * WHERE { ?a ?ab ?abc }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("a", "http://example.org";); - - // In the not expected list we need the whitespace after ?a as otherwise - // the test will give a - // false negative since obviously we should still have ?ab and ?abc - // present - test(query, new String[] { "<http://example.org>", "?ab", "?abc" }, new String[] { "?a " }); - testAsQuery(query); - } - - @Test - public void test_param_string_name_collision_2() { - // Test name collision - // The parameter we inject has a name which is a prefix of another - // variable name, only the - // actual name should be injected to - String cmdText = "SELECT * WHERE { ?abc ?ab ?a. }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("a", "http://example.org";); - - // In the not expected list we need the whitespace after ?a as otherwise - // the test will give a - // false negative since obviously we should still have ?ab and ?abc - // present - test(query, new String[] { "<http://example.org>", "?ab", "?abc" }, new String[] { "?a " }); - testAsQuery(query); - } - - @Test - public void test_param_string_name_collision_3() { - // Test name collision - // In this test the parameter we inject has a name which collides with a - // term used - // in a prefix in the query - String cmdText = "PREFIX ex: <http://example.org/vocab#> SELECT * WHERE { ?s ex:name ?name }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setLiteral("name", "Bob"); - - // In the expected list we want to see Bob, in the not expected list we - // don't want to see - // ex:Bob since that would be a bad variable insertion - test(query, new String[] { "Bob" }, new String[] { "?name", "ex:Bob" }); - testAsQuery(query); - } - - @Test - public void test_param_string_clear_1() { - // Test clearing of parameter - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.clearParam("s"); - - test(query, new String[] { "?s" }, new String[] { "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_clear_2() { - // Test clearing of parameter - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.clearParams(); - - test(query, new String[] { "?s" }, new String[] { "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_clear_3() { - // Test indirect clearing of parameter by setting param to null - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri("s", "http://example.org";); - query.setParam("s", (Node) null); - - test(query, new String[] { "?s" }, new String[] { "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_clear_4() { - // Test clearing of parameter - String cmdText = "SELECT * WHERE { ? ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri(0, "http://example.org";); - query.clearParam(0); - - test(query, new String[] { "? " }, new String[] { "<http://example.org>" }); - } - - @Test - public void test_param_string_clear_5() { - // Test clearing of parameter - String cmdText = "SELECT * WHERE { ? ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri(0, "http://example.org";); - query.clearParams(); - - test(query, new String[] { "? " }, new String[] { "<http://example.org>" }); - } - - @Test - public void test_param_string_clear_6() { - // Test indirect clearing of parameter by setting param to null - String cmdText = "SELECT * WHERE { ? ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setIri(0, "http://example.org";); - query.setParam(0, (Node) null); - - test(query, new String[] { "? " }, new String[] { "<http://example.org>" }); - } - - @Test - public void test_param_string_prefixes_1() { - // Test prefixes are prepended - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setNsPrefix("ex", "http://example.org";); - - test(query, new String[] { "PREFIX", "ex:", "<http://example.org>" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_prefixes_2() { - // Test prefixes are prepended - String cmdText = "SELECT * WHERE { ?s ex:predicate ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setNsPrefix("ex", "http://example.org";); - - test(query, new String[] { "PREFIX", "ex:", "<http://example.org>", "ex:predicate" }, new String[] {}); - testAsQuery(query); - } - - @Test(expected = QueryException.class) - public void test_param_string_prefixes_bad_1() { - // Test bad input - using a prefix without defining prefix - String cmdText = "SELECT * WHERE { ?s ex:predicate ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - - // Testing with an PName using an undefined prefix in the string - // Should fail on parsing - test(query, new String[] { "ex:predicate" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_base_1() { - // Test base is prepended - String cmdText = "SELECT * WHERE { ?s <#predicate> ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setBaseUri("http://example.org";); - - test(query, new String[] { "BASE", "<http://example.org>" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_base_bad_1() { - // Test questionable input - using relative URI without defining base - // ARQ accepts this, not sure if this is a way to disable this as this - // test should - // ideally be expecting a QueryException - String cmdText = "SELECT * WHERE { ?s <#predicate> ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - - test(query, new String[] {}, new String[] { "BASE", "<http://example.org>" }); - testAsQuery(query); - } - - @Test - public void test_param_string_copy_1() { - // Test copying - copying always copies command text - String cmdText = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - ParameterizedSparqlString copy = query.copy(); - - Assert.assertEquals(cmdText, copy.getCommandText()); - } - - @Test - public void test_param_string_copy_2() { - // Test copying - copying and changing a parameter changes only one - // instance - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setIri("x", "http://example.org/original";); - ParameterizedSparqlString copy = query.copy(); - copy.setIri("x", "http://example.org/copy";); - - Assert.assertEquals("http://example.org/original";, query.getParam("x").toString()); - Assert.assertFalse("http://example.org/copy".equals(query.getParam("x").toString())); - - Assert.assertEquals("http://example.org/copy";, copy.getParam("x").toString()); - Assert.assertFalse("http://example.org/original".equals(copy.getParam("x").toString())); - } - - @Test - public void test_param_string_copy_3() { - // Test copying - copying should copy prefixes - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setNsPrefix("ex", "http://example.org";); - ParameterizedSparqlString copy = query.copy(); - - Assert.assertEquals("http://example.org";, copy.getNsPrefixURI("ex")); - } - - @Test - public void test_param_string_copy_4() { - // Test copying - copying should copy base URI - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setBaseUri("http://example.org";); - ParameterizedSparqlString copy = query.copy(); - - Assert.assertEquals("http://example.org";, copy.getBaseUri()); - } - - @Test - public void test_param_string_copy_5() { - // Test selective copying - copying without copying parameters - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setIri("x", "http://example.org/original";); - ParameterizedSparqlString copy = query.copy(false); - - Assert.assertEquals("http://example.org/original";, query.getParam("x").toString()); - Assert.assertEquals(null, copy.getParam("x")); - } - - @Test - public void test_param_string_copy_6() { - // Test selective copying - copying without copying prefixes - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setNsPrefix("ex", "http://example.org";); - ParameterizedSparqlString copy = query.copy(true, true, false); - - Assert.assertFalse("http://example.org".equals(copy.getNsPrefixURI("ex"))); - } - - @Test - public void test_param_string_copy_7() { - // Test copying - copying and changing a parameter changes only one - // instance - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setIri(0, "http://example.org/original";); - ParameterizedSparqlString copy = query.copy(); - copy.setIri(0, "http://example.org/copy";); - - Assert.assertEquals("http://example.org/original";, query.getParam(0).toString()); - Assert.assertFalse("http://example.org/copy".equals(query.getParam(0).toString())); - - Assert.assertEquals("http://example.org/copy";, copy.getParam(0).toString()); - Assert.assertFalse("http://example.org/original".equals(copy.getParam(0).toString())); - } - - @Test - public void test_param_string_copy_8() { - // Test selective copying - copying without copying parameters - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.setIri(0, "http://example.org/original";); - ParameterizedSparqlString copy = query.copy(false); - - Assert.assertEquals("http://example.org/original";, query.getParam(0).toString()); - Assert.assertEquals(null, copy.getParam(0)); - } - - @Test - public void test_param_string_append_1() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p ?o }"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "?o" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_2() { - // Test appending simple types - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.append(true); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "true" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_3() { - // Test appending simple types - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.append(123); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "123" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_4() { - // Test appending simple types - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.append(123l); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "123" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_5() { - // Test appending simple types - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.append(123.0e5); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "1.23E7" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_iri_1() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s "); - query.appendIri("http://example.org";); - query.append(" ?o }"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "<http://example.org>", "?o" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_iri_2() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s "); - query.appendIri(IRIFactory.iriImplementation().construct("http://example.org";)); - query.append(" ?o }"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "<http://example.org>", "?o" }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_boolean_1() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral(true); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "true" }, new String[] { XSD.xboolean.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_append_boolean_2() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral("xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xboolean.toString())); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "xyz", XSD.xboolean.toString() }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_integer_1() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral(123); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "123" }, new String[] { XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_append_integer_2() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral("xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.integer.toString())); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "xyz", XSD.integer.toString() }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_integer_3() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral(123l); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "123" }, new String[] { XSD.integer.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_append_double_1() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral(123.0e5); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "1.23E7" }, new String[] { XSD.xdouble.toString() }); - testAsQuery(query); - } - - @Test - public void test_param_string_append_double_2() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral(1.23d); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "1.23", XSD.xdouble.toString() }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_append_double_3() { - // Test appending text - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT *"); - query.append('\n'); - query.append("WHERE { ?s ?p "); - query.appendLiteral("xyz", TypeMapper.getInstance().getSafeTypeByName(XSD.xdouble.toString())); - query.append("}"); - - test(query, new String[] { "SELECT", "*", "\n", "WHERE", "?s", "?p", "xyz", XSD.xdouble.toString() }, new String[] {}); - testAsQuery(query); - } - - @Test - public void test_param_string_positional_1() { - // Test positional parameters - ParameterizedSparqlString query = new ParameterizedSparqlString(); - query.append("SELECT * WHERE { ? ?p ?o }"); - query.setParam(0, NodeFactory.createURI("http://example.org";)); - - test(query, new String[] { "<http://example.org>" }, new String[] { "? " }); - } - - @Test - public void test_param_string_positional_2() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ? . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createURI("http://example.org";)); - query.setParam(1, NodeFactory.createURI("http://predicate";)); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\" . }", query.toString()); - } - - @Test - public void test_param_string_positional_3() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ? . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createLiteral("with ? mark")); - query.setParam(1, NodeFactory.createURI("http://predicate";)); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { \"with ? mark\" <http://predicate> \"test\" . }", query.toString()); - } - - @Test - public void test_param_string_positional_4() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ? . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createLiteral("with ? mark")); - query.setParam(1, NodeFactory.createLiteral("with ? mark")); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { \"with ? mark\" \"with ? mark\" \"test\" . }", query.toString()); - } - - @Test - public void test_param_string_positional_5() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ?. }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createURI("http://example.org";)); - query.setParam(1, NodeFactory.createURI("http://predicate";)); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\". }", query.toString()); - } - - @Test - public void test_param_string_positional_6() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ?; ?p ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createURI("http://example.org";)); - query.setParam(1, NodeFactory.createURI("http://predicate";)); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\"; ?p ?o . }", query.toString()); - } - - @Test - public void test_param_string_positional_7() { - // Test regular string injection - String cmdText = "SELECT * WHERE { ? ? ?, ?o . }"; - ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); - query.setParam(0, NodeFactory.createURI("http://example.org";)); - query.setParam(1, NodeFactory.createURI("http://predicate";)); - query.setParam(2, NodeFactory.createLiteral("test")); - - Assert.assertEquals("SELECT * WHERE { <http://example.org> <http://predicate> \"test\", ?o . }", query.toString()); - } - - @Test - public void test_param_string_positional_eligible_1() { - // Test detection of eligible parameters - String cmdText = "SELECT * WHERE { ?s ?p ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); - - Iterator<Integer> iter = pss.getEligiblePositionalParameters(); - int count = 0; - while (iter.hasNext()) { - count++; - iter.next(); - } - Assert.assertEquals(1, count); - } - - @Test - public void test_param_string_positional_eligible_2() { - // Test detection of eligible parameters - String cmdText = "SELECT * WHERE { ? ? ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); - - Iterator<Integer> iter = pss.getEligiblePositionalParameters(); - int count = 0; - while (iter.hasNext()) { - count++; - iter.next(); - } - Assert.assertEquals(3, count); - } - - @Test - public void test_param_string_positional_eligible_3() { - // Test detection of eligible parameters - String cmdText = "SELECT * WHERE { ?s ?p ?; ?p1 ?, ?. }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(cmdText); - - Iterator<Integer> iter = pss.getEligiblePositionalParameters(); - int count = 0; - while (iter.hasNext()) { - count++; - iter.next(); - } - Assert.assertEquals(3, count); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_01() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_02() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri("var2", "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_injection_03() { - // This injection attempt results in a valid update but a failed - // injection - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var2 . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var2", "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_04() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri("var2", "hello> . ?s ?p ?o"); - - Query q = pss.asQuery(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_injection_05() { - // This injection attempt results in a valid query but a failed - // injection - String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ?var2 . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var2", "hello\" . ?s ?p ?o"); - - Query q = pss.asQuery(); - Element el = q.getQueryPattern(); - if (el instanceof ElementTriplesBlock) { - Assert.assertEquals(1, ((ElementTriplesBlock) q.getQueryPattern()).getPattern().size()); - } else if (el instanceof ElementGroup) { - Assert.assertEquals(1, ((ElementGroup) el).getElements().size()); - el = ((ElementGroup) el).getElements().get(0); - if (el instanceof ElementTriplesBlock) { - Assert.assertEquals(1, ((ElementTriplesBlock) el).getPattern().size()); - } - } - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_06() { - // This injection attempt is prevented by forbidding injection to a - // variable parameter immediately surrounded by quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_07() { - // This injection attempt is prevented by forbidding injection of - // variable parameters immediately surrounded by quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?var\" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_08() { - // This injection attempt results in an invalid SPARQL update because - // you end up with a double quoted literal inside a single quoted - // literal - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?var' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_injection_09() { - // This injection attempt using comments results in a valid SPARQL - // update but a failed injection because the attempt to use comments - // ends up being a valid string literal within quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "\" . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_10() { - // This injection attempt tries to chain together injections to achieve - // an attack, the first - // injection appears innocuous and is an attempt to set up an actual - // injection vector - // The injection is prevented because a ?var directly surrounded by - // quotes is always flagged as - // subject to injection because pre-injection validation happens before - // each variable is injected - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "a"); - pss.setLiteral("var2", "b"); - - // Figure out which variable will be injected first - @SuppressWarnings("deprecation") - String first = pss.getVars().next(); - String second = first.equals("var") ? "var2" : "var"; - - pss.setLiteral(first, "?" + second); - pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_11() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we are now able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ?var \" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_12() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we are now able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ?var other text\" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_injection_13() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we now escape ' so prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ' ?var ' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test - public void test_param_string_injection_14() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we now escape ' so prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> 'some text ?var other text' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test(expected = ARQException.class) - public void test_param_string_injection_15() { - // This injection attempt tries to chain together injections to achieve - // an attack, the first injection appears innocuous and is an attempt to - // set up an actual injection vector - // Since we not check out delimiters we are not able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?var }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "a"); - pss.setLiteral("var2", "b"); - - // Figure out which variable will be injected first - @SuppressWarnings("deprecation") - String first = pss.getVars().next(); - String second = first.equals("var") ? "var2" : "var"; - - pss.setLiteral(first, " ?" + second + " "); - pss.setLiteral(second, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_non_injection_01() { - // This test checks that a legitimate injection of a literal to a - // variable that occurs between two other literals is permitted - // Btw this is not a valid query but it serves to illustrate the case - String str = "SELECT * { \"subject\" ?var \"object\" . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("var", "predicate"); - - pss.toString(); - } - - @Test(expected = ARQException.class) - public void test_param_string_positional_injection_01() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ?v . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_positional_injection_02() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri(0, "hello> } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye"); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_positional_injection_03() { - // This injection attempt results in a valid update but a failed - // injection - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "hello\" } ; DROP ALL ; INSERT DATA { <s> <p> <goodbye>"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test(expected = ARQException.class) - public void test_param_string_positional_injection_04() { - // This injection is prevented by forbidding the > character in URIs - String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setIri(0, "hello> . ?s ?p ?o"); - - Query q = pss.asQuery(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_positional_injection_05() { - // This injection attempt results in a valid query but a failed - // injection - String str = "PREFIX : <http://example/>\nSELECT * WHERE { <s> <p> ? . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "hello\" . ?s ?p ?o"); - - Query q = pss.asQuery(); - Element el = q.getQueryPattern(); - if (el instanceof ElementTriplesBlock) { - Assert.assertEquals(1, ((ElementTriplesBlock) q.getQueryPattern()).getPattern().size()); - } else if (el instanceof ElementGroup) { - Assert.assertEquals(1, ((ElementGroup) el).getElements().size()); - el = ((ElementGroup) el).getElements().get(0); - if (el instanceof ElementTriplesBlock) { - Assert.assertEquals(1, ((ElementTriplesBlock) el).getPattern().size()); - } - } - } - - @Test - public void test_param_string_positional_injection_06() { - // This injection attempt is prevented by forbidding injection to a - // variable parameter immediately surrounded by quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "hello' . } ; DROP ALL ; INSERT DATA { <s> <p> \"goodbye"); - - // In the positional case this does not work because the '?' is not - // considered an eligible positional parameter due to the lack of - // subsequent white space or punctuation - Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); - } - - @Test - public void test_param_string_positional_injection_07() { - // This injection attempt is prevented by forbidding injection of - // variable parameters immediately surrounded by quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"?\" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - // In the positional case this does not work because the "?" is not - // considered an eligible positional parameter due to the lack of - // subsequent white space or punctuation - Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); - } - - @Test - public void test_param_string_positional_injection_08() { - // This injection attempt results in an invalid SPARQL update because - // you end up with a double quoted literal inside a single quoted - // literal - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> '?' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - // In the positional case this does not work because the '?' is not - // considered an eligible positional parameter due to the lack of - // subsequent white space or punctuation - Assert.assertFalse(pss.getEligiblePositionalParameters().hasNext()); - } - - @Test - public void test_param_string_positional_injection_09() { - // This injection attempt using comments results in a valid SPARQL - // update but a failed injection because the attempt to use comments - // ends up being a valid string literal within quotes - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "\" . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test - public void test_param_string_positional_injection_10() { - // This injection attempt tries to chain together injections to achieve - // an attack, the first - // injection appears innocuous and is an attempt to set up an actual - // injection vector - // The injection is prevented because a ?var directly surrounded by - // quotes is always flagged as - // subject to injection because pre-injection validation happens before - // each variable is injected - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "?"); - pss.setLiteral(1, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - // In the positional parameter case this should fail because there - // is only one eligible positional parameter in the string and we cannot - // introduce additional ones via chained injection - Iterator<Integer> params = pss.getEligiblePositionalParameters(); - Assert.assertTrue(params.hasNext()); - params.next(); - Assert.assertFalse(params.hasNext()); - - UpdateRequest u = pss.asUpdate(); - Assert.assertEquals(1, u.getOperations().size()); - } - - @Test(expected = ARQException.class) - public void test_param_string_positional_injection_11() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we are now able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \" ? \" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test(expected = ARQException.class) - public void test_param_string_positional_injection_12() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we are now able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> \"some text ? other text\" }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - UpdateRequest updates = pss.asUpdate(); - Assert.fail("Attempt to do SPARQL injection should result in an exception"); - } - - @Test - public void test_param_string_positional_injection_13() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we now escape ' so prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ' ? ' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test - public void test_param_string_positional_injection_14() { - // This is a variant on placing a variable bound to a literal inside a - // literal resulting in an injection, we now escape ' so prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> 'some text ? other text' }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "' . } ; DROP ALL ; INSERT DATA { <s> <p> <o> }#"); - - UpdateRequest updates = pss.asUpdate(); - Assert.assertEquals(1, updates.getOperations().size()); - } - - @Test - public void test_param_string_positional_injection_15() { - // This injection attempt tries to chain together injections to achieve - // an attack, the first injection appears innocuous and is an attempt to - // set up an actual injection vector - // Since we not check out delimiters we are not able to detect and - // prevent this - String str = "PREFIX : <http://example/>\nINSERT DATA { <s> <p> ? }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, " ? "); - pss.setLiteral(1, " . } ; DROP ALL ; INSERT DATA { <s> <p> "); - - // In the positional parameter case this should fail because there - // is only one eligible positional parameter in the string and we cannot - // introduce additional ones via chained injection - Iterator<Integer> params = pss.getEligiblePositionalParameters(); - Assert.assertTrue(params.hasNext()); - params.next(); - Assert.assertFalse(params.hasNext()); - - UpdateRequest u = pss.asUpdate(); - Assert.assertEquals(1, u.getOperations().size()); - } - - @Test - public void test_param_string_positional_non_injection_01() { - // This test checks that a legitimate injection of a literal to a - // variable that occurs between two other literals is permitted - // Btw this is not a valid query but it serves to illustrate the case - String str = "SELECT * { \"subject\" ? \"object\" . }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral(0, "predicate"); - - pss.toString(); - } - - @Test - public void test_param_string_bug_01() { - // Tests a bug reported with setting literals - String str = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("o", "has$sign"); - - pss.toString(); - } - - @Test - public void test_param_string_bug_02() { - // Tests a bug reported with setting literals - String str = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("o", "has$1sign"); - - pss.toString(); - } - - @Test - public void test_param_string_bug_03() { - // Tests a bug reported with setting literals - String str = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("o", "has$5sign"); - - pss.toString(); - } - - @Test - public void test_param_string_bug_04() { - // Tests a bug reported with setting literals - String str = "SELECT * WHERE { ?s ?p ?o }"; - ParameterizedSparqlString pss = new ParameterizedSparqlString(str); - pss.setLiteral("o", "has $9 sign"); - - pss.toString(); - } -} +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.jena.query; + +import java.util.Calendar ; +import java.util.Iterator ; +import java.util.TimeZone ; + +import org.apache.jena.datatypes.TypeMapper ; +import org.apache.jena.graph.Node ; +import org.apache.jena.graph.NodeFactory ; +import org.apache.jena.iri.IRIFactory ; +import org.apache.jena.rdf.model.* ; +import org.apache.jena.shared.impl.PrefixMappingImpl ; +import org.apache.jena.sparql.ARQException ; +import org.apache.jena.sparql.syntax.Element ; +import org.apache.jena.sparql.syntax.ElementGroup ; +import org.apache.jena.sparql.syntax.ElementTriplesBlock ; +import org.apache.jena.update.UpdateExecutionFactory ; +import org.apache.jena.update.UpdateProcessor ; +import org.apache.jena.update.UpdateRequest ; +import org.apache.jena.vocabulary.OWL ; +import org.apache.jena.vocabulary.RDF ; +import org.apache.jena.vocabulary.XSD ; +import org.junit.Assert ; +import org.junit.Test ; + +/** + * Tests for the {@link ParameterizedSparqlString} + * + */ +public class TestParameterizedSparqlString { + + private void test(ParameterizedSparqlString query, String[] expected, String[] notExpected) { + // System.out.println("Raw Command:"); + // System.out.println(query.getCommandText()); + String command = query.toString(); + // System.out.println("Injected Command:"); + // System.out.println(command); + for (String x : expected) { + Assert.assertTrue(command.contains(x)); + } + for (String x : notExpected) { + Assert.assertFalse(command.contains(x)); + } + } + + private Query testAsQuery(ParameterizedSparqlString query) { + return query.asQuery(); + } + + private UpdateRequest testAsUpdate(ParameterizedSparqlString update) { + return update.asUpdate(); + } + + @Test + public void test_param_string_constructor_1() { + // Test empty constructor + ParameterizedSparqlString query = new ParameterizedSparqlString(); + Assert.assertEquals("", query.getCommandText()); + } + + @Test + public void test_param_string_constructor_2() { + // Test constructor with null command - null command should map to empty + // command automagically + ParameterizedSparqlString query = new ParameterizedSparqlString((String) null); + Assert.assertEquals("", query.getCommandText()); + } + + @Test + public void test_param_string_constructor_3() { + // Test constructor with base URI + ParameterizedSparqlString query = new ParameterizedSparqlString("", "http://example.org";); + Assert.assertEquals("http://example.org";, query.getBaseUri()); + } + + @Test + public void test_param_string_constructor_4() { + // Test constructor with predefined parameters + QuerySolutionMap map = new QuerySolutionMap(); + Resource r = ResourceFactory.createResource("http://example.org";); + map.add("s", r); + ParameterizedSparqlString query = new ParameterizedSparqlString("", map); + + Assert.assertEquals(r.asNode(), query.getParam("s")); + } + + @Test + public void test_param_string_constructor_5() { + // Test constructor with predefined parameters - variant of constructor + // that does not require command text + QuerySolutionMap map = new QuerySolutionMap(); + Resource r = ResourceFactory.createResource("http://example.org";); + map.add("s", r); + ParameterizedSparqlString query = new ParameterizedSparqlString(map); + + Assert.assertEquals(r.asNode(), query.getParam("s")); + } + + @Test + public void test_param_string_constructor_6() { + // Test constructor with predefined parameters + QuerySolutionMap map = new QuerySolutionMap(); + Resource r = ResourceFactory.createResource("http://example.org";); + map.add("s", r); + Literal l = ResourceFactory.createPlainLiteral("example"); + map.add("o", l); + ParameterizedSparqlString query = new ParameterizedSparqlString("", map); + + Assert.assertEquals(r.asNode(), query.getParam("s")); + Assert.assertEquals(l.asNode(), query.getParam("o")); + } + + @Test + public void test_param_string_constructor_7() { + // Test constructor with predefined parameters - variant of constructor + // that does not require command text + QuerySolutionMap map = new QuerySolutionMap(); + Resource r = ResourceFactory.createResource("http://example.org";); + map.add("s", r); + Literal l = ResourceFactory.createPlainLiteral("example"); + map.add("o", l); + ParameterizedSparqlString query = new ParameterizedSparqlString(map); + + Assert.assertEquals(r.asNode(), query.getParam("s")); + Assert.assertEquals(l.asNode(), query.getParam("o")); + } + + @Test + public void test_param_string_constructor_8() { + // Test constructors with predefined prefixes + PrefixMappingImpl prefixes = new PrefixMappingImpl(); + prefixes.setNsPrefix("ex", "http://example.org";); + ParameterizedSparqlString query = new ParameterizedSparqlString("", prefixes); + + Assert.assertEquals(prefixes.getNsPrefixURI("ex"), query.getNsPrefixURI("ex")); + } + + @Test + public void test_param_string_constructor_9() { + // Test constructors with predefined prefixes - variant of constructor + // that does not require command text + PrefixMappingImpl prefixes = new PrefixMappingImpl(); + prefixes.setNsPrefix("ex", "http://example.org";); + ParameterizedSparqlString query = new ParameterizedSparqlString(prefixes); + + Assert.assertEquals(prefixes.getNsPrefixURI("ex"), query.getNsPrefixURI("ex")); + } + + @Test + public void test_param_string_iri_1() { + // Test simple injection + String cmdText = "SELECT * WHERE { ?s ?p ?o }"; + ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); + query.setIri("s", "http://example.org";); + + test(query, new String[] { "<http://example.org>" }, new String[] { "?s" }); + } + + @Test + public void test_param_string_iri_2() { + // Test simple injection + String cmdText = "SELECT * WHERE { ?s ?p ?o }"; + ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); + query.setIri("p", "http://example.org";); + + test(query, new String[] { "<http://example.org>" }, new String[] { "?p" }); + } + + @Test + public void test_param_string_iri_3() { + // Test simple injection + String cmdText = "SELECT * WHERE { ?s ?p ?o }"; + ParameterizedSparqlString query = new ParameterizedSparqlString(cmdText); + query.setIri("o", "http://example.org";); + + test(query, new String[] { "<http://example.org>" }, new String[] { "?o" }); + } + + @Test + public void test_param_string_iri_4() { + // Test simple injection + String cmdText = "SELECT * WHERE { ?s ?p ?o . ?s a ?type }"; + ParameterizedSparqlString query = new Parameteriz
<TRUNCATED>
