Skip to content

Commit

Permalink
Add sanitization to fix SPARQL injection vulnerability.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kevinbackhouse
kevinbackhouse committed Jan 28, 2019
1 parent 6e71744 commit 248ef19
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/IndividualSDB.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,12 @@ public IndividualSDB(String individualURI,
this.dwf = datasetWrapperFactory;
this.webappDaoFactory = wadf;

// Check that individualURI is valid. (Prevent SPARQL injection attack.)
// Valid syntax is defined here: https://www.w3.org/TR/rdf-sparql-query/#rIRI_REF
if (!individualURI.matches("[^<>\"{}|^`\\\\\u0000-\u0020]*")) {
throw new IndividualNotFoundException();
}

if (skipInitialization) {
OntModel ontModel = ModelFactory.createOntologyModel(
OntModelSpec.OWL_MEM);
Expand Down

0 comments on commit 248ef19

Please sign in to comment.