litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add sanitization to fix SPARQL injection vulnerability. (#111)

Browse source 
Resolves https://jira.duraspace.org/browse/VIVO-1697
This commit is contained in:
Kevin Backhouse 2019-07-15 19:15:03 +01:00 committed by Ben
parent f011af1339
commit dd04f3def8
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java
View file

@ -118,6 +118,12 @@ public class IndividualSDB extends IndividualImpl implements Individual {
this.dwf = datasetWrapperFactory; this.dwf = datasetWrapperFactory;
this.webappDaoFactory = wadf; this.webappDaoFactory = wadf;
// Check that individualURI is valid. (Prevent SPARQL injection attack.)
// Valid syntax is defined here: https://www.w3.org/TR/rdf-sparql-query/#rIRI_REF
if (!individualURI.matches("[^<>\"{}|^`\\\\\u0000-\u0020]*")) {
throw new IndividualNotFoundException();
}
if (skipInitialization) { if (skipInitialization) {
OntModel ontModel = ModelFactory.createOntologyModel( OntModel ontModel = ModelFactory.createOntologyModel(
OntModelSpec.OWL_MEM); OntModelSpec.OWL_MEM);