Index: test/org/mindswap/pellet/query/ParameterizedStringTest.java =================================================================== --- test/org/mindswap/pellet/query/ParameterizedStringTest.java (revisión: 0) +++ test/org/mindswap/pellet/query/ParameterizedStringTest.java (revisión: 25) @@ -0,0 +1,220 @@ +package org.mindswap.pellet.query; + +import com.hp.hpl.jena.query.Syntax; + +import junit.framework.TestCase; + +/** + * @author Pablo Orduña ( MoreLab ) + * @author Aitor Almeida ( MoreLab ) + * @author Unai Aguilera ( MoreLab ) + * @author Iker Larizgoitia ( MoreLab ) + * @author Xabier Laiseca ( MoreLab ) + * + */ +public class ParameterizedStringTest extends TestCase{ + private final String XSD = "http://www.w3.org/2001/XMLSchema#"; + + public void testParameterizedString(){ + String query_start = "SELECT a = "; + String query_end = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_start + "${user}" + query_end); + pqs.setString("user", "something"); + assertEquals(query_start + "'something'^^<"+ XSD +"string>" + query_end, pqs.getStringQuery()); + } + + public void testParameterizedStringNotChanged(){ + String query_begin = "SELECT a = "; + String fin_query = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + fin_query); + try{ + pqs.getStringQuery(); + fail("Expected ParameterNotAssignedException"); + }catch(ParameterNotAssignedException pnae){ + //pass + } + } + + public void testParameterizedStringReplacedWithBraces(){ + String query_begin = "SELECT a = "; + String fin_query = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + fin_query); + pqs.setString("user", "${user}"); + assertEquals( + "SELECT a = '${user}'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + } + + public void testParameterizedStringWithQuote(){ + String query_begin = "SELECT a = "; + String fin_query = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + fin_query); + pqs.setString("user", "O'Reilly"); + assertEquals( + "SELECT a = 'O\\'Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + } + + public void testParameterizedStringWithOtherChars(){ + String query_begin = "SELECT a = "; + String fin_query = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + fin_query); + pqs.setString("user", "said \"hello\" :-)"); + assertEquals( + "SELECT a = 'said \\\"hello\\\" :-)'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "and\0"); + assertEquals( + "SELECT a = 'and\\0'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "and\n"); + assertEquals( + "SELECT a = 'and\\n'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "and\\"); + assertEquals( + "SELECT a = 'and\\\\'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "and\r"); + assertEquals( + "SELECT a = 'and\\r'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + } + + public void testParameterizedStringWithUnicodeQuote(){ + String query_begin = "SELECT a = "; + String query_end = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + query_end); + pqs.setString("user", "O\\u0027Reilly's books"); + assertEquals( + "SELECT a = 'O\\'Reilly\\'s books'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "O\\u0027Reilly"); + assertEquals( + "SELECT a = 'O\\'Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "\\u0027Reilly"); + assertEquals( + "SELECT a = '\\'Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "\\\\u0027Reilly"); + assertEquals( + "SELECT a = '\\\\\\\\u0027Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + pqs.setString("user", "\\u00000027Reilly"); + assertEquals( + "SELECT a = '\\'Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery() + ); + } + + public void testParameterizedStringUnsupportedSyntax(){ + ParameterizedString pqs = new ParameterizedString("whatever"); + try{ + pqs.getStringQuery(Syntax.syntaxARQ); + fail("Expected UnsupportedOperationException"); + }catch(UnsupportedOperationException uoe){ + //pass + } + } + + public void testParameterizedStringWithUnicodeQuoteAndRDQL(){ + String query_begin = "SELECT a = "; + String query_end = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + query_end); + pqs.setString("user", "O\\u0027Reilly's books"); + assertEquals( + "SELECT a = 'O\\\\u0027Reilly\\'s books'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery(Syntax.syntaxRDQL) + ); + pqs.setString("user", "O\\u0027Reilly"); + assertEquals( + "SELECT a = 'O\\\\u0027Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery(Syntax.syntaxRDQL) + ); + pqs.setString("user", "\\u0027Reilly"); + assertEquals( + "SELECT a = '\\\\u0027Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery(Syntax.syntaxRDQL) + ); + pqs.setString("user", "\\\\u0027Reilly"); + assertEquals( + "SELECT a = '\\\\\\\\u0027Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery(Syntax.syntaxRDQL) + ); + pqs.setString("user", "\\u00000027Reilly"); + assertEquals( + "SELECT a = '\\\\u00000027Reilly'^^<"+ XSD +"string> WHERE ", + pqs.getStringQuery(Syntax.syntaxRDQL) + ); + } + + public void testParameterizedStringParameterDoesNotExist(){ + String query_begin = "SELECT a = "; + String fin_query = " WHERE "; + ParameterizedString pqs = new ParameterizedString(query_begin + "${user}" + fin_query); + try{ + pqs.setString("this.does.not.exist", "whatever"); + fail("Expected ParameterNotFoundException"); + }catch(ParameterNotFoundException pnae){ + //pass + } + } + + public void testParameterizedStringFinishingInVariable(){ + ParameterizedString pqs = new ParameterizedString("${user1}${user2}${user3}${user4}"); + pqs.setString("user1", "whatever1"); + pqs.setString("user2", "whatever2"); + pqs.setString("user3", "whatever3"); + pqs.setString("user4", "whatever4"); + assertEquals( + "'whatever1'^^" + + "'whatever2'^^" + + "'whatever3'^^" + + "'whatever4'^^", + pqs.getStringQuery() + ); + } + + public void testXsdTypes(){ + ParameterizedString pqs = new ParameterizedString( + "${short}" + + "${int}" + + "${long}" + + "${double}" + + "${float}" + + "${boolean}" + + "${byte}" + ); + pqs.setShort( "short", (short)1); + pqs.setInt( "int", 2); + pqs.setLong( "long", 3L); + pqs.setDouble( "double", 4.0); + pqs.setFloat( "float", 5.0f); + pqs.setBoolean( "boolean", true); + pqs.setByte( "byte", (byte)6); + + assertEquals( + "'1'^^<" + XSD + "short>" + + "'2'^^<" + XSD + "int>" + + "'3'^^<" + XSD + "long>" + + "'4.0'^^<" + XSD + "double>" + + "'5.0'^^<" + XSD + "float>" + + "'true'^^<" + XSD + "boolean>" + + "'6'^^<" + XSD + "byte>", + pqs.getStringQuery() + ); + } + +} Index: src/org/mindswap/pellet/query/ParameterizedString.java =================================================================== --- src/org/mindswap/pellet/query/ParameterizedString.java (revisión: 0) +++ src/org/mindswap/pellet/query/ParameterizedString.java (revisión: 25) @@ -0,0 +1,379 @@ +package org.mindswap.pellet.query; + +import java.util.Hashtable; +import java.util.List; +import java.util.Map; +import java.util.Vector; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import com.hp.hpl.jena.query.QueryFactory; +import com.hp.hpl.jena.query.Syntax; +import com.hp.hpl.jena.update.UpdateFactory; + +/** An Object that represents a parameterized query string. + * + * In order to easily avoid SPARQL Injection/SPARUL Injection/RDQL + * Injection, it is possible to use thisclass to generate the initial + * SPARQL query (or modification or RDQL query) with parameters in the + * ${parameter.name} format, and then assign values to each parameter + * with the set methods. Each set method will check that there is no + * SPARQL/SPARUL/RDQL code inside. + * + * 
+ * public ResultSet findFriends(String userInput){ 
+ *     ParameterizedString secQuery = new ParameterizedString(
+ *              "PREFIX sample:  " +
+ *              "SELECT ?p1 ?p2 " +
+ *              "WHERE {" +
+ *              "      ?p1 a sample:Person . " +
+ *              "      ?p2 a sample:Person . " +
+ *              "      ?p1 sample:fullName ${full.name} . " +
+ *              "      ?p1 sample:isFriendOf ?p2 . " +
+ *              "}";
+ *     );
+ *     seqQuery.setString("full.name", userInput);
+ *     Query query = QueryFactory.create(seqQuery);
+ *     QueryExecution queryExecution = QueryExecutionFactory.create(
+ *         query, 
+ *         this.model
+ *     );
+ *     return queryExecution.execSelect();
+ * }
+ *
+ * + * A malicious user trying to inject code like: + * + * 
+ * String userInput = "John Smith' . " +
+ *      "?b1 a injection:Building . " +
+ *      "?b1 injection:name ?buildingName . " +
+ *      "FILTER  regex(?buildingName, \"^F.*\") . " +
+ *      "} #"; // }:-D
+ *
+ * + * to perform Blind SPARQL Injection (is there a building in the ontology + * which starts with F?) will not be successful. + * + * @author Pablo Orduña ( MoreLab ) + * @author Aitor Almeida ( MoreLab ) + * @author Unai Aguilera ( MoreLab ) + * @author Iker Larizgoitia ( MoreLab ) + * @author Xabier Laiseca ( MoreLab ) + * + * @see QueryFactory + * @see UpdateFactory + */ + +public class ParameterizedString { + + public final String PARAMETER_REGEX = "\\$\\{[a-zA-Z0-9_\\.-]+\\}"; + private final String XSD = "http://www.w3.org/2001/XMLSchema#"; + + // SELECT ?name FROM { ${name} } + // would be: + + private String [] querySplitted; // {"SELECT ?name FROM { ", " }"} + private String [] keys; // name + // String -> String + private Map values = new Hashtable(); // name : ValueClass{"boolean","true"} + + private class ValueClass{ + private String type; //http://www.w3.org/TR/xmlschema-2/#built-in-datatypes + private String value; + public ValueClass(String type, String value){ + this.type = type; + this.value = value; + } + + public String getType() { + return type; + } + + public String getValue() { + return value; + } + } + + /** + * Initialize the object with a parameterized query. + * + * The parameters are defined by {@link #PARAMETER_REGEX} syntax. + * + * @param query The parameterized query + */ + + public ParameterizedString(String query){ + if(query == null) + throw new IllegalArgumentException("query argument can't be null"); + this.initialize(query + " "); + } + + void initialize(String query){ + this.querySplitted = parseQuerySplitted(query); + this.keys = parseParameters(query); + } + + private String [] parseParameters(String s) { + Pattern pat = Pattern.compile(this.PARAMETER_REGEX); + Matcher mat = pat.matcher(s); + List parameters = new Vector(); + while(mat.find()){ + String param = mat.group(); + param = param.substring(2, param.length() - 1); + parameters.add(param); + } + return (String[])parameters.toArray(new String[]{}); + } + + private String [] parseQuerySplitted(String s) { + Pattern pat = Pattern.compile(this.PARAMETER_REGEX); + return pat.split(s); + } + + /** + * Sets the designated parameter to the given Java int value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setInt (String label, int value) + { + // http://www.w3.org/TR/xmlschema-2/#int + setParameter(label, new ValueClass("int", Integer.toString(value))); + } + + /** + * Sets the designated parameter to the given Java short value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setShort (String label, short value) + { + // http://www.w3.org/TR/xmlschema-2/#short + setParameter(label, new ValueClass("short", Short.toString(value))); + } + + /** + * Sets the designated parameter to the given Java long value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setLong (String label, long value) + { + // http://www.w3.org/TR/xmlschema-2/#long + setParameter(label, new ValueClass("long", Long.toString(value))); + } + + /** + * Sets the designated parameter to the given Java double value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setDouble (String label, double value) + { + // http://www.w3.org/TR/xmlschema-2/#double + setParameter(label, new ValueClass("double", Double.toString(value))); + } + + /** + * Sets the designated parameter to the given Java float value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setFloat (String label, float value) + { + // http://www.w3.org/TR/xmlschema-2/#float + setParameter(label, new ValueClass("float", Float.toString(value))); + } + + /** + * Sets the designated parameter to the given Java boolean value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setBoolean (String label, boolean value) + { + // http://www.w3.org/TR/xmlschema-2/#boolean + setParameter(label, new ValueClass("boolean", Boolean.toString(value))); + } + + /** + * Sets the designated parameter to the given Java byte value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setByte (String label, byte value) + { + // http://www.w3.org/TR/xmlschema-2/#byte + setParameter(label, new ValueClass("byte", Byte.toString(value))); + } + + /** + * Sets the designated parameter to the given Java String value. + * + * @param label the parameter name. + * @param value the parameter value. + */ + + public void setString (String label, String value) + { + //http://www.w3.org/TR/xmlschema-2/#string + if(value == null) + throw new IllegalArgumentException("param argument can't be null"); + setParameter(label, new ValueClass("string", value)); + } + + private void setParameter (String label, ValueClass param) + { + for(int i = 0; i < this.keys.length; ++i) + if(this.keys[i].equals(label)){ + this.values.put(label, param); + return; + } + throw new ParameterNotFoundException("Parameter " + label + " not found"); + } + + /** + * Build again the query with the provided parameters. + * + * This method will be called by the QueryFactory object. + * + * @return The query + * @throws ParameterNotAssignedException + */ + + public String getStringQuery(){ + return this.getStringQuery(Syntax.syntaxSPARQL); + } + + /** + * Build again the query with the provided parameters. + * + * This method will be called by the QueryFactory object. + * + * @return The query + * @throws ParameterNotAssignedException + */ + + public String getStringQuery(Syntax langURI){ + if( + langURI == Syntax.syntaxSPARQL + || langURI == Syntax.syntaxRDQL + ) + return this.getStringQueryImpl(langURI); + else + throw new UnsupportedOperationException("Unsupported syntax: " + langURI); + } + + private String getStringQueryImpl(Syntax langURI){ + int length = this.querySplitted.length; + + String stringQuery = ""; + for(int i = 0; i < length - 1; ++i){ + stringQuery += this.querySplitted[i]; + if(!this.values.containsKey(this.keys[i])) + throw new ParameterNotAssignedException("Parameter " + this.keys[i] + " was not assigned"); + + ValueClass parameter = (ValueClass)this.values.get(this.keys[i]); + String securedValue = this.secureParameter(parameter.getValue(), langURI); + String finalParameterValue = "'" + securedValue + "'^^<" + this.XSD + parameter.getType() + ">"; + stringQuery += finalParameterValue; + } + + if(length > 0) + stringQuery += this.querySplitted[length - 1]; + + return stringQuery.substring(0, stringQuery.length() - 1); + } + + private String secureParameter(String param, Syntax langURI) { + String parsedParameter; + if(langURI == Syntax.syntaxSPARQL) + parsedParameter = parseUnicode(param); + else if(langURI == Syntax.syntaxRDQL) + parsedParameter = param; + else + // should not happen + throw new UnsupportedOperationException("Unsupported langURI: " + langURI); + + return checkCharacters(parsedParameter); + } + + private String checkCharacters(String secureParam) { + StringBuffer buffer = new StringBuffer(); + for(int i = 0; i < secureParam.length(); ++i){ + char c = secureParam.charAt(i); + switch(c){ + case '\'': + buffer.append('\\'); + buffer.append('\''); + break; + case '\\': + buffer.append('\\'); + buffer.append('\\'); + break; + // From here to the end... just in case + // http://www.w3.org/TR/rdf-sparql-query/#grammarEscapes + // http://www.w3.org/Submission/2004/SUBM-RDQL-20040109/#lexical-tokens + case '\t': + buffer.append('\\'); + buffer.append('t'); + break; + case '\n': + buffer.append('\\'); + buffer.append('n'); + break; + case '\r': + buffer.append('\\'); + buffer.append('r'); + break; + case '\b': + buffer.append('\\'); + buffer.append('b'); + break; + case '\"': + buffer.append('\\'); + buffer.append('\"'); + break; + case '\0': + buffer.append('\\'); + buffer.append('0'); + break; + default: + buffer.append(c); + } + } + + return buffer.toString(); + } + + private String parseUnicode(String param){ + // Only needed for SPAR{Q,U}L + // http://www.w3.org/TR/rdf-sparql-query/#codepointEscape + String unicodeRegex = "([^\\\\]|^)\\\\u([0-9a-fA-F]{4,8})"; + Pattern pat = Pattern.compile(unicodeRegex); + Matcher mat = pat.matcher(param); + while(mat.find()){ + String currentMatch = mat.group(); + String firstCharacter = currentMatch.substring(0,currentMatch.lastIndexOf("\\")); + String numberInHex = currentMatch.substring(currentMatch.lastIndexOf("u") + 1); + char charValue = (char)Integer.parseInt(numberInHex, 16); + param = param.replace(currentMatch, firstCharacter + charValue); + } + return param; + } +} Index: src/org/mindswap/pellet/query/ParameterNotFoundException.java =================================================================== --- src/org/mindswap/pellet/query/ParameterNotFoundException.java (revisión: 0) +++ src/org/mindswap/pellet/query/ParameterNotFoundException.java (revisión: 25) @@ -0,0 +1,23 @@ +package org.mindswap.pellet.query; + +import com.hp.hpl.jena.shared.JenaException; + +/** + * + * @author Pablo Orduña ( MoreLab ) + * @author Aitor Almeida ( MoreLab ) + * @author Unai Aguilera ( MoreLab ) + * @author Iker Larizgoitia ( MoreLab ) + * @author Xabier Laiseca ( MoreLab ) + * + */ +public class ParameterNotFoundException extends JenaException { + + public ParameterNotFoundException() {} + + public ParameterNotFoundException(String message) { super(message); } + + public ParameterNotFoundException(Throwable cause) { super(cause); } + + public ParameterNotFoundException(String message, Throwable cause) { super(message, cause); } +} Index: src/org/mindswap/pellet/query/ParameterNotAssignedException.java =================================================================== --- src/org/mindswap/pellet/query/ParameterNotAssignedException.java (revisión: 0) +++ src/org/mindswap/pellet/query/ParameterNotAssignedException.java (revisión: 25) @@ -0,0 +1,23 @@ +package org.mindswap.pellet.query; + +import com.hp.hpl.jena.shared.JenaException; + +/** + * + * @author Pablo Orduña ( MoreLab ) + * @author Aitor Almeida ( MoreLab ) + * @author Unai Aguilera ( MoreLab ) + * @author Iker Larizgoitia ( MoreLab ) + * @author Xabier Laiseca ( MoreLab ) + * + */ +public class ParameterNotAssignedException extends JenaException { + + public ParameterNotAssignedException() {} + + public ParameterNotAssignedException(String message) { super(message); } + + public ParameterNotAssignedException(Throwable cause) { super(cause); } + + public ParameterNotAssignedException(String message, Throwable cause) { super(message, cause); } +} Index: src/org/mindswap/pellet/query/QueryEngine.java =================================================================== --- src/org/mindswap/pellet/query/QueryEngine.java (revisión: 11) +++ src/org/mindswap/pellet/query/QueryEngine.java (copia de trabajo) @@ -98,18 +98,34 @@ return exec( queryStr, kb, DEFAULT_SYNTAX ); } + public static QueryResults exec( ParameterizedString queryStr, KnowledgeBase kb ) { + return exec( queryStr.getStringQuery(DEFAULT_SYNTAX), kb ); + } + public static QueryResults execRDQL( String queryStr, KnowledgeBase kb ) { return exec( queryStr, kb, Syntax.syntaxRDQL ); } + public static QueryResults execRDQL( ParameterizedString queryStr, KnowledgeBase kb ) { + return execRDQL( queryStr.getStringQuery(Syntax.syntaxRDQL), kb ); + } + public static QueryResults execSPARQL( String queryStr, KnowledgeBase kb ) { return exec( queryStr, kb, Syntax.syntaxSPARQL ); } + public static QueryResults execSPARQL( ParameterizedString queryStr, KnowledgeBase kb ) { + return execSPARQL( queryStr.getStringQuery(Syntax.syntaxSPARQL), kb); + } + public static Query parse( String queryStr, KnowledgeBase kb ) { return parse( queryStr, kb, DEFAULT_SYNTAX ); } + public static Query parse( ParameterizedString queryStr, KnowledgeBase kb ) { + return parse( queryStr.getStringQuery(DEFAULT_SYNTAX), kb); + } + public static Query parse( String queryStr, KnowledgeBase kb, Syntax syntax ) { QueryParser parser = createParser( syntax ); Query query = parser.parse( queryStr, kb ); @@ -117,12 +133,20 @@ return query; } + public static Query parse( ParameterizedString queryStr, KnowledgeBase kb, Syntax syntax ) { + return parse( queryStr.getStringQuery(syntax), kb, syntax ); + } + public static QueryResults exec( String queryStr, KnowledgeBase kb, Syntax syntax ) { Query query = parse( queryStr, kb, syntax ); return exec( query ); } + public static QueryResults exec( ParameterizedString queryStr, KnowledgeBase kb, Syntax syntax ) { + return exec(queryStr.getStringQuery(syntax), kb, syntax); + } + public static QueryResults exec( Query query, KnowledgeBase kb ) { KnowledgeBase origKB = query.getKB(); query.setKB( kb );