From dd04f3def86fddee6acd5ceb8c41277f7919d6b4 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Mon, 15 Jul 2019 19:15:03 +0100
Subject: [PATCH] Add sanitization to fix SPARQL injection vulnerability.
 (#111)

Resolves https://jira.duraspace.org/browse/VIVO-1697
---
 .../mannlib/vitro/webapp/dao/jena/IndividualSDB.java        | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java
index 6e560d653..8abeaa3d1 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java
@@ -118,6 +118,12 @@ public class IndividualSDB extends IndividualImpl implements Individual {
     	this.dwf = datasetWrapperFactory;
 		this.webappDaoFactory = wadf;
 
+		// Check that individualURI is valid. (Prevent SPARQL injection attack.)
+		// Valid syntax is defined here: https://www.w3.org/TR/rdf-sparql-query/#rIRI_REF
+		if (!individualURI.matches("[^<>\"{}|^`\\\\\u0000-\u0020]*")) {
+			throw new IndividualNotFoundException();
+		}
+
     	if (skipInitialization) {
             OntModel ontModel = ModelFactory.createOntologyModel(
                     OntModelSpec.OWL_MEM);