Skip to content
Permalink
Browse files Browse the repository at this point in the history
validate dataset name to prevent sql injection from this parameter
  • Loading branch information
xchrdw committed Jul 6, 2015
1 parent 937041f commit 3f71090
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 16 deletions.
Expand Up @@ -224,8 +224,14 @@ class DatabaseConnection(config : Configuration) {
result */
}

def getClusters(s: String, ontologyNamespace : String): Seq[Group] = {
val table = s
def validateDatasetString(table: String) = {
if(!table.matches("[A-Za-z]+")) {
throw new RuntimeException("illegal table name: " + table)
}
}

def getClusters(table: String, ontologyNamespace : String): Seq[Group] = {
validateDatasetString(table)
val sql = sql"SELECT label, cluster_size FROM #${table}.CLUSTERS WHERE username = 'ontology' ORDER BY label".as[(String, Int)]
var id : Int = -1
try {
Expand All @@ -235,7 +241,7 @@ class DatabaseConnection(config : Configuration) {
new Group(id, removeOntologyNamespace(label, ontologyNamespace), cluster_size)
})
} catch {
case e : SqlSyntaxErrorException => println("This dataset has no clusters: " + s)
case e : SqlSyntaxErrorException => println("This dataset has no clusters: " + table)
Nil
}
}
Expand Down Expand Up @@ -271,6 +277,7 @@ class DatabaseConnection(config : Configuration) {


def getStatistics(dataset: String) : mutable.Map[String, String] = {
validateDatasetString(dataset)
val statistics = mutable.Map[String, String]()
val sql = sql"SELECT nodedegreedistribution, averagelinks, edges, connectedcomponents, stronglyconnectedcomponents FROM #$dataset.graphstatistics".as[(String, Float, Int, Int, Int)]
try {
Expand All @@ -297,7 +304,7 @@ class DatabaseConnection(config : Configuration) {
val result2 = execute(sql2) map ((gcnodes) => {
statistics += ("gcnodes" -> gcnodes.toString)
})
println(e.getMessage + System.lineSeparator() + sql.toString)
println("error getting stats: " + e.getMessage + System.lineSeparator() + sql.toString)
}
}
statistics
Expand Down Expand Up @@ -355,6 +362,7 @@ class DatabaseConnection(config : Configuration) {
}

def getPatternDiameter(dataset: String, patternId: Int) : Int = {
validateDatasetString(dataset)
var diameter : Int = 0
try {
val sql = sql"SELECT diameter FROM #${dataset}.patterns WHERE id = #${patternId}".as[(Int)]
Expand All @@ -363,12 +371,13 @@ class DatabaseConnection(config : Configuration) {
diameter = diameterSql
})
} catch {
case e : SqlSyntaxErrorException => println(e.getMessage)
case e : SqlSyntaxErrorException => println("error getting diameter" + e.getMessage)
}
diameter
}

def getEntityDetails(dataset: String, subjectId: Int): Entity = {
validateDatasetString(dataset)
var triples : List[Triple] = Nil
var label : String = ""
var subjectUri = ""
Expand Down Expand Up @@ -409,7 +418,7 @@ class DatabaseConnection(config : Configuration) {
}
statement.close
} catch {
case e : SqlSyntaxErrorException => println(e.getMessage)
case e : SqlSyntaxErrorException => println("error getting entity details" + e.getMessage)
}

val entityDetails = new Entity(subjectId, subjectUri, label, triples)
Expand All @@ -434,6 +443,7 @@ class DatabaseConnection(config : Configuration) {
}

def insertPatterns(name: String, patterns: util.HashMap[Integer, util.HashMap[String, Integer]], coloredPatterns: util.HashMap[Integer, util.List[String]], diameter: util.HashMap[Integer, lang.Double]) {
validateDatasetString(name)
val coloredPatternsMap = coloredPatterns.asScala.toMap
val diameterMap = diameter.asScala.toMap
val patternsMap = patterns.asScala.toMap
Expand All @@ -450,7 +460,7 @@ class DatabaseConnection(config : Configuration) {
val resultSet = statement.execute("INSERT INTO " + name + ".PATTERNS (ID, NAME, PATTERN, OCCURENCES, DIAMETER) VALUES (" + id + ", '" + patternName + "', '" + pattern + "'," + occurences + "," + patternDiameter + ")")
} catch {
case e: SqlIntegrityConstraintViolationException => println("Pattern already exists")
case e: SqlException => println(e.getMessage)
case e: SqlException => println("error inserting pattern: " + e.getMessage)
case e: SqlSyntaxErrorException => println(e.getMessage + System.lineSeparator() + "INSERT INTO " + name + ".PATTERNS (ID, PATTERN, OCCURENCES, DIAMETER) VALUES (" + id + ", '" + pattern + "'," + occurences + ", " + patternDiameter + ")")
}
val cPattern = coloredPatternsMap.get(id).get.asScala.toList
Expand All @@ -460,7 +470,7 @@ class DatabaseConnection(config : Configuration) {
val resultSet = statement.execute("INSERT INTO " + name + ".coloredpatterns (ID, PATTERN) VALUES (" + id + ", '" + coloredpattern + "')")
} catch {
case e: SqlException => {
println(e.getMessage)
println("error inserting pattern (2)" + e.getMessage)
println(coloredpattern)
}
case e: SqlSyntaxErrorException => println(e.getMessage + System.lineSeparator() + "INSERT INTO " + name + ".coloredpatterns (ID, PATTERN) VALUES (" + id + ", '" + coloredpattern + "')")
Expand All @@ -478,6 +488,7 @@ class DatabaseConnection(config : Configuration) {
}

def performInsert(table: String, names: Seq[Any], values: Seq[Any]): Option[Int] = {
validateDatasetString(table)
val query = String.format("insert into %s (%s) values (%s)",
table,
commaize(names.map(n => n.toString).toList),
Expand Down Expand Up @@ -513,6 +524,7 @@ class DatabaseConnection(config : Configuration) {
}

def getSubjectId(dataset: String, s: String): Int = {
validateDatasetString(dataset)
var result : Int = -1
val statement = connection.createStatement()
try {
Expand Down Expand Up @@ -544,6 +556,7 @@ class DatabaseConnection(config : Configuration) {
}

def getObjectId(name: String, s: String): Int = {
validateDatasetString(name)
var result : Int = -1
val statement = connection.createStatement()
val resultSet = statement.executeQuery("SELECT tuple_id FROM " + name + ".objecttable WHERE object='" + s.replace("'", "") + "'")
Expand All @@ -556,28 +569,28 @@ class DatabaseConnection(config : Configuration) {
def getOntologyNamespace(s: String): String = {
var namespace :String = null
try {
val sql = sql"""SELECT ONTOLOGY_NAMESPACE FROM PROLOD_MAIN.SCHEMATA WHERE SCHEMA_NAME = '#${s}'""".as[String]
val sql = sql"""SELECT ONTOLOGY_NAMESPACE FROM PROLOD_MAIN.SCHEMATA WHERE SCHEMA_NAME = ${s}""".as[String]
val result = execute(sql)
result map ((ns) => {
namespace = ns
})
} catch {
case e: SqlException => println(e.getMessage + System.lineSeparator())
case e: SqlSyntaxErrorException => println(e.getMessage + System.lineSeparator())
case e: SqlException => println("error getting ontology namespace: " + e.getMessage + System.lineSeparator())
case e: SqlSyntaxErrorException => println("syntax in ontology namespace: " + e.getMessage + System.lineSeparator())
}
namespace
}

def getNamespace(s: String): String = {
var namespace :String = null
try {
val sql = sql"""SELECT NAMESPACE FROM PROLOD_MAIN.SCHEMATA WHERE SCHEMA_NAME = '#${s}'""".as[String]
val sql = sql"""SELECT NAMESPACE FROM PROLOD_MAIN.SCHEMATA WHERE SCHEMA_NAME = ${s}""".as[String]
val result = execute(sql)
result map ((ns) => {
namespace = ns
})
} catch {
case e: SqlException => println(e.getMessage + System.lineSeparator())
case e: SqlException => println("error getting namespace: " + e.getMessage + System.lineSeparator())
case e: SqlSyntaxErrorException => println(e.getMessage + System.lineSeparator())
}
namespace
Expand All @@ -591,6 +604,7 @@ class DatabaseConnection(config : Configuration) {
}

def getPredicateId(name: String, s: String): Int = {
validateDatasetString(name)
var result : Int = -1
val statement = connection.createStatement()
val resultSet = statement.executeQuery("SELECT id FROM " + name + ".predicatetable WHERE predicate='" + s + "'")
Expand Down Expand Up @@ -641,9 +655,10 @@ class DatabaseConnection(config : Configuration) {
}

def updateClusterSizes(dataset : String, ontologyNamespace : String) = {
validateDatasetString(dataset)
for (cluster : Group <- getClusters(dataset, ontologyNamespace)) {
try {
val sql = sql"""SELECT COUNT(*) FROM #${dataset}.MAINTABLE as m, #${dataset}.predicatetable as p, #${dataset}.objecttable as o WHERE m.predicate_id = p.id AND o.tuple_id = m.tuple_id AND p.predicate = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#type' AND o.object = '#${ontologyNamespace}#${cluster.name}'""".as[(Int)]
val sql = sql"""SELECT COUNT(*) FROM #${dataset}.MAINTABLE as m, #${dataset}.predicatetable as p, #${dataset}.objecttable as o WHERE m.predicate_id = p.id AND o.tuple_id = m.tuple_id AND p.predicate = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#type' AND o.object = ${ontologyNamespace + cluster.name}""".as[(Int)]
val result = execute(sql)
var clusterSize = 0
result map ((cluster_size) => {
Expand Down
6 changes: 4 additions & 2 deletions prolod-server/app/controllers/prolod/server/GraphLod.scala
Expand Up @@ -153,8 +153,10 @@ object GraphLod extends Controller {
data.classDistribution = classDistribution
}

val patternDiameter = db.getPatternDiameter(datasetId, data.patterns.last.id)
data.diameter = patternDiameter
if(data.patterns.nonEmpty) {
val patternDiameter = db.getPatternDiameter(datasetId, data.patterns.last.id)
data.diameter = patternDiameter
}

val json = Json.obj("statistics" -> data)
Ok(json)
Expand Down

0 comments on commit 3f71090

Please sign in to comment.