On 28/03/13 22:57, Rob Vesse wrote:
// This is a case where we cannot detect the different between a valid
// parameterized string and one that is subject to injection
String str = "PREFIX :<http://example/>\nINSERT DATA { <s> <p> \"
?var \" }";
ParameterizedSparqlString pss = new ParameterizedSparqlString(str);
pss.setLiteral("var", " . } ; DROP ALL ; INSERT DATA { <s> <p> ");
The problem here is that we can't tell that this is an injection vector
because we can't obviously distinguish between the case where the original
string is subject to injection and where the original string is valid,
because the following would be perfectly valid (ignoring the fact you
can't create triples with literal subjects) and not an injection vector:
INSERT DATA { "s" ?var "o" }
It would be really good to have a robust solution and I think this can
be done with a little light parsing of the command string.
How this sound?
In toString, analyse the command string to count the bare " characters
(being careful about \" and comments) so as to know if the variable is
inside "-delimiters or not. This produces an array of string start/stop
points in the string (more coneveniently, two arrays, one of starts one
of stops).
The replacement step checks the location of the ?var against this. If a
the var is inside delimiters then throw an exception.
Conveniently, that works for """ as well.
'?var' can be addressed by additional escaping of ' after FmtUtils has
produced a literal form to insert.
Anything else need catching?
Checks needed for other things:
URIs: check no < or > and no other delimiters
bNodes: Presumably inserting as <_:label> is useful to work with bNode.
The label needs to be checked for spaces and delimiters.
Andy
