diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java index 6e560d653..8abeaa3d1 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java @@ -118,6 +118,12 @@ public class IndividualSDB extends IndividualImpl implements Individual { this.dwf = datasetWrapperFactory; this.webappDaoFactory = wadf; + // Check that individualURI is valid. (Prevent SPARQL injection attack.) + // Valid syntax is defined here: https://www.w3.org/TR/rdf-sparql-query/#rIRI_REF + if (!individualURI.matches("[^<>\"{}|^`\\\\\u0000-\u0020]*")) { + throw new IndividualNotFoundException(); + } + if (skipInitialization) { OntModel ontModel = ModelFactory.createOntologyModel( OntModelSpec.OWL_MEM);