Thanks for the minimal complete test cases
This is indeed a low level bug in ParameterizedSparlString, captured as
https://issues.apache.org/jira/browse/JENA-1497 and will have a fix out for
review soon
Rob
On 04/03/2018, 19:22, "Marc Agate" <agate.m...@gmail.com> wrote:
Hi,
I have the following piece of code setting up literal parameters:
*****************************************
if(st.startsWith(QueryConstants.LITERAL_ARGS_PARAMPREFIX)) {
if(litParams.keySet().contains(st)) {
String lang=converted.get(litParams.get(st));
try {
new
Locale.Builder().setLanguageTag(lang).build();
}catch(IllformedLocaleException ex) {
return "ERROR --> language param :"+lang+" is
not a valid BCP 47 language tag"+ex.getMessage();
}
queryStr.setLiteral(st,
converted.get(st),lang);
}else {
//Some literals do not have a lang associated with
them
queryStr.setLiteral(st,
converted.get(st));
}
}
******************************************
and the following parameterized query string using jena Text:
******************************************
select ?comment (GROUP_CONCAT(DISTINCT ?comment_type; SEPARATOR=" <>
") AS ?comment_types) ?comment_name ?root ?root_name
where {
(?root ?score ?root_name) text:query ?L_name .
?comment :workIsAbout ?root;
:workGenre ?g ;
skos:prefLabel ?comment_name.
?g skos:prefLabel ?comment_type .
FILTER ((contains(?comment_type, "commentary" ))
|| (contains(?comment_type, "rnam bshad" ))
|| (contains(?comment_type, "'grel pa" ))
|| (contains(f:SankritFilter(?comment_type), "ṭīkā" ))
|| (contains(f:SankritFilter(?comment_type), "vyākhyā" )))
}
group by ?comment ?comment_name ?root ?root_name
******************************************
when I run that code with the parameter (L_name="rgyud bla ma") -
including double quotes, I have the following exception:
********************************************
"org.apache.jena.sparql.ARQException: Command string is vunerable to
injection attack, variable ?L_name appears inside of a literal and is
bound to a literal which provides a SPARQL injection attack vector
at
org.apache.jena.query.ParameterizedSparqlString.validateSafeToInject(Pa
rameterizedSparqlString.java:1227)
at
org.apache.jena.query.ParameterizedSparqlString.toString(ParameterizedS
parqlString.java:1325)
at
org.apache.jena.query.ParameterizedSparqlString.asQuery(ParameterizedSp
arqlString.java:1388)
at
io.bdrc.ldspdi.sparql.InjectionTracker.getValidQuery(InjectionTracker.j
ava:88)
at
io.bdrc.ldspdi.rest.resources.PublicTemplatesResource.getQueryTemplateR
esults(PublicTemplatesResource.java:96)
at sun.reflect.GeneratedMethodAccessor163.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso
rImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHand
lerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:
76) at ......
*******************************************
I observed the following :
1. if I remove the FILTER, the exception goes away and the query runs
fine
2. if I pass the following query to the Tracker with the exact same
param (L_name="rgyud bla ma"), the query runs fine:
*********************
select ?id ?pref_nm ?cat_Info ?note ?num_Vol ?access ?license ?status
where {
(?id ?score ?pref_nm) text:query ?L_name .
?id a :Work .
?id adm:access ?access .
?id adm:license ?license .
?id adm:status ?status .
OPTIONAL { ?id :workCatalogInfo ?cat_Info }
OPTIONAL { ?id :workBiblioNote ?note }
OPTIONAL { ?id :workNumberOfVolumes ?num_Vol }
}
***************************
3. if I add FILTER contains(?cat_Info,"comment") to the query above,
the query runs fine as well.
Note that for many other queries using the same process and jena Text,
everything's working fine, for instance:
that query being passed to the tracker :
select ?Work_ID ?Work_Name
where {
(?Work_ID ?sc ?Work_Name) text:query ?L_name .
?Work_ID a :Work.
}
with the parameter L_name="chos dbyings" (with double quotes)
After being processed by the tracker becomes:
SELECT ?Work_ID ?Work_Name
WHERE
{ ( ?Work_ID ?sc ?Work_Name )
text:query "\"chos dbyings\"" .
?Work_ID rdf:type :Work
}
LIMIT 500
which proves that the proper escaping is done by
ParameterizedSparqlString.
Do you have any idea about what's going on ?
Marc
