Thanks for the minimal complete test cases This is indeed a low level bug in ParameterizedSparlString, captured as https://issues.apache.org/jira/browse/JENA-1497 and will have a fix out for review soon
Rob On 04/03/2018, 19:22, "Marc Agate" <agate.m...@gmail.com> wrote: Hi, I have the following piece of code setting up literal parameters: ***************************************** if(st.startsWith(QueryConstants.LITERAL_ARGS_PARAMPREFIX)) { if(litParams.keySet().contains(st)) { String lang=converted.get(litParams.get(st)); try { new Locale.Builder().setLanguageTag(lang).build(); }catch(IllformedLocaleException ex) { return "ERROR --> language param :"+lang+" is not a valid BCP 47 language tag"+ex.getMessage(); } queryStr.setLiteral(st, converted.get(st),lang); }else { //Some literals do not have a lang associated with them queryStr.setLiteral(st, converted.get(st)); } } ****************************************** and the following parameterized query string using jena Text: ****************************************** select ?comment (GROUP_CONCAT(DISTINCT ?comment_type; SEPARATOR=" <> ") AS ?comment_types) ?comment_name ?root ?root_name where { (?root ?score ?root_name) text:query ?L_name . ?comment :workIsAbout ?root; :workGenre ?g ; skos:prefLabel ?comment_name. ?g skos:prefLabel ?comment_type . FILTER ((contains(?comment_type, "commentary" )) || (contains(?comment_type, "rnam bshad" )) || (contains(?comment_type, "'grel pa" )) || (contains(f:SankritFilter(?comment_type), "ṭīkā" )) || (contains(f:SankritFilter(?comment_type), "vyākhyā" ))) } group by ?comment ?comment_name ?root ?root_name ****************************************** when I run that code with the parameter (L_name="rgyud bla ma") - including double quotes, I have the following exception: ******************************************** "org.apache.jena.sparql.ARQException: Command string is vunerable to injection attack, variable ?L_name appears inside of a literal and is bound to a literal which provides a SPARQL injection attack vector at org.apache.jena.query.ParameterizedSparqlString.validateSafeToInject(Pa rameterizedSparqlString.java:1227) at org.apache.jena.query.ParameterizedSparqlString.toString(ParameterizedS parqlString.java:1325) at org.apache.jena.query.ParameterizedSparqlString.asQuery(ParameterizedSp arqlString.java:1388) at io.bdrc.ldspdi.sparql.InjectionTracker.getValidQuery(InjectionTracker.j ava:88) at io.bdrc.ldspdi.rest.resources.PublicTemplatesResource.getQueryTemplateR esults(PublicTemplatesResource.java:96) at sun.reflect.GeneratedMethodAccessor163.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso rImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHand lerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java: 76) at ...... ******************************************* I observed the following : 1. if I remove the FILTER, the exception goes away and the query runs fine 2. if I pass the following query to the Tracker with the exact same param (L_name="rgyud bla ma"), the query runs fine: ********************* select ?id ?pref_nm ?cat_Info ?note ?num_Vol ?access ?license ?status where { (?id ?score ?pref_nm) text:query ?L_name . ?id a :Work . ?id adm:access ?access . ?id adm:license ?license . ?id adm:status ?status . OPTIONAL { ?id :workCatalogInfo ?cat_Info } OPTIONAL { ?id :workBiblioNote ?note } OPTIONAL { ?id :workNumberOfVolumes ?num_Vol } } *************************** 3. if I add FILTER contains(?cat_Info,"comment") to the query above, the query runs fine as well. Note that for many other queries using the same process and jena Text, everything's working fine, for instance: that query being passed to the tracker : select ?Work_ID ?Work_Name where { (?Work_ID ?sc ?Work_Name) text:query ?L_name . ?Work_ID a :Work. } with the parameter L_name="chos dbyings" (with double quotes) After being processed by the tracker becomes: SELECT ?Work_ID ?Work_Name WHERE { ( ?Work_ID ?sc ?Work_Name ) text:query "\"chos dbyings\"" . ?Work_ID rdf:type :Work } LIMIT 500 which proves that the proper escaping is done by ParameterizedSparqlString. Do you have any idea about what's going on ? Marc