Sparql query data getter ivalid substitution errors appear in log files #3970

litvinovg · 2024-04-04T08:52:51Z

Describe the bug
While opening VIVO home page error appeared in tomcat log file.
Error happens due to substitution of environment variable that doesn't exists in sparql query text in case sparql query data getter doesn't have any variable substitution specified for backward compatibility.

To Reproduce
Steps to reproduce the behavior:

Build VIVO
Log in
Activate developer panel
In developer panel check "Insert HTML comments at start and end of templates"
Open home page

Expected behavior
A clear and concise description of what you expected to happen.

Stack trace
WARN [FreemarkerConfigurationImpl] org.apache.jena.sparql.ARQException: Value for the parameter contains a SPARQL injection risk
org.apache.jena.sparql.ARQException: Value for the parameter contains a SPARQL injection risk
at org.apache.jena.query.ParameterizedSparqlString.validateParameterValue(ParameterizedSparqlString.java:630)
at org.apache.jena.query.ParameterizedSparqlString.setParam(ParameterizedSparqlString.java:692)
at org.apache.jena.query.ParameterizedSparqlString.setIri(ParameterizedSparqlString.java:760)
at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.lambda$bindParameters$7(SparqlQueryDataGetter.java:226)
at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.substitute(SparqlQueryDataGetter.java:243)
at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.bindParameters(SparqlQueryDataGetter.java:225)
at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.getData(SparqlQueryDataGetter.java:172)
at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.applyDataGetter(FreemarkerConfigurationImpl.java:234)
at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.retrieveAndRunDataGetters(FreemarkerConfigurationImpl.java:197)
at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.getTemplate(FreemarkerConfigurationImpl.java:166)

Additional information
ERROR [SparqlQueryDataGetter] Exception happend while trying to substitute value

of variable body in query

PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
PREFIX vivo: <http://vivoweb.org/ontology/core#>

SELECT DISTINCT ?theURI ?name
WHERE
{
      ?theURI a vivo:AcademicDepartment .
      ?theURI rdfs:label ?name .
}

Environment (please complete the following information):

OS: Linux
Browser Firefox
Tomcat version 8.5
VIVO version 1.14.1-SNAPSHOT
Apache Solr

The text was updated successfully, but these errors were encountered:

litvinovg mentioned this issue Apr 4, 2024

Filter unavailable variable substitutions in Sparql query data getter. vivo-project/Vitro#459

Merged

litvinovg linked a pull request Apr 4, 2024 that will close this issue

Filter unavailable variable substitutions in Sparql query data getter. vivo-project/Vitro#459

Merged

chenejac self-assigned this Apr 4, 2024

chenejac closed this as completed in vivo-project/Vitro#459 Apr 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sparql query data getter ivalid substitution errors appear in log files #3970

Sparql query data getter ivalid substitution errors appear in log files #3970

litvinovg commented Apr 4, 2024 •

edited

Sparql query data getter ivalid substitution errors appear in log files #3970

Sparql query data getter ivalid substitution errors appear in log files #3970

Comments

litvinovg commented Apr 4, 2024 • edited

litvinovg commented Apr 4, 2024 •

edited