Ok I've now had time to look at this some more and managed to turn all the
previously identified injection attacks into detectable attacks
I took your suggestions and did some delimiter detection on the strings,
we have to track all relevant delimiters <>.,;{}()[]\n\r because we are
interested in the closest delimiters to the position we want to inject at.
I also added the code to escape ' within literals which closes off that
vulnerability as well
I haven't yet looked at the other potential vulnerabilities you identified
e.g injecting things inside of <> so there may still be as yet
unidentified vulnerabilities which still need tests and fixing
Rob
On 3/31/13 10:13 AM, "Andy Seaborne" <[email protected]> wrote:
>On 28/03/13 22:57, Rob Vesse wrote:
>> // This is a case where we cannot detect the different between a valid
>> // parameterized string and one that is subject to injection
>> String str = "PREFIX :<http://example/>\nINSERT DATA { <s> <p>
>>\"
>> ?var \" }";
>> ParameterizedSparqlString pss = new
>>ParameterizedSparqlString(str);
>> pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p>
>>");
>>
>> The problem here is that we can't tell that this is an injection vector
>> because we can't obviously distinguish between the case where the
>>original
>> string is subject to injection and where the original string is valid,
>> because the following would be perfectly valid (ignoring the fact you
>> can't create triples with literal subjects) and not an injection vector:
>>
>> INSERT DATA { "s" ?var "o" }
>
>
>It would be really good to have a robust solution and I think this can
>be done with a little light parsing of the command string.
>
>How this sound?
>
>In toString, analyse the command string to count the bare " characters
>(being careful about \" and comments) so as to know if the variable is
>inside "-delimiters or not. This produces an array of string start/stop
>points in the string (more coneveniently, two arrays, one of starts one
>of stops).
>
>The replacement step checks the location of the ?var against this. If a
>the var is inside delimiters then throw an exception.
>
>Conveniently, that works for """ as well.
>
>'?var' can be addressed by additional escaping of ' after FmtUtils has
>produced a literal form to insert.
>
>Anything else need catching?
>
>Checks needed for other things:
>
>URIs: check no < or > and no other delimiters
>
>bNodes: Presumably inserting as <_:label> is useful to work with bNode.
>
>The label needs to be checked for spaces and delimiters.
>
> Andy
>
