bogus "vunerable to injection attack" error

[xristy]

The lds-queries/Work_comment_fast query is throwing a bogus injection attack complaint. The pattern in the problem query is the same as that of lds-queries/Work_bibl_info_fast and lds-queries/Work_byName:

{"status":500,"code":5001,"message":"Command string is vunerable to injection attack, variable ?L_name appears inside of a literal and is bound to a literal which provides a SPARQL injection attack vector","link":null,"developerMessage":"org.apache.jena.sparql.ARQException: Command string is vunerable to injection attack, variable ?L_name appears inside of a literal and is bound to a literal which provides a SPARQL injection attack vector\n\tat org.apache.jena.query.ParameterizedSparqlString.validateSafeToInject(ParameterizedSparqlString.java:1227)\n\tat org.apache.jena.query.ParameterizedSparqlString.toString(ParameterizedSparqlString.java:1325)\n\tat org.apache.jena.query.ParameterizedSparqlString.asQuery(ParameterizedSparqlString.java:1388)\n\tat io.bdrc.ldspdi.sparql.InjectionTracker.getValidQuery(InjectionTracker.java:88)\n\tat io.bdrc.ldspdi.rest.resources.PublicTemplatesResource.getQueryTemplateResults(PublicTemplatesResource.java:96)\n\tat sun.reflect.GeneratedMethodAccessor163.invoke(Unknown Source)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)\n\tat org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)\n\tat org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)\n\tat org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:243)\n\tat org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)\n\tat org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)\n\tat org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)\n\tat org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)\n\tat org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)\n\tat org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)\n\tat org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)\n\tat org.glassfish.jersey.internal.Errors.process(Errors.java:316)\n\tat org.glassfish.jersey.internal.Errors.process(Errors.java:298)\n\tat org.glassfish.jersey.internal.Errors.process(Errors.java:268)\n\tat org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)\n\tat org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)\n\tat org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)\n\tat org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)\n\tat org.glassfish.jersey.servlet.ServletContainer.serviceImpl(ServletContainer.java:409)\n\tat org.glassfish.jersey.servlet.ServletContainer.doFilter(ServletContainer.java:584)\n\tat org.glassfish.jersey.servlet.ServletContainer.doFilter(ServletContainer.java:525)\n\tat org.glassfish.jersey.servlet.ServletContainer.doFilter(ServletContainer.java:462)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)\n\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)\n\tat org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1104)\n\tat org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1519)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1475)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)\n"}

[MarcAgate]

The only thing I can tell so far is that removing the FILTER make the exception disappear... On the other hand, removing the double quotes in L_name doesn't change a thing. Finally, if I add a FILTER to a similar query (Work_bibl_info), the query keeps working fine !

[xristy]

There's nothing wrong with the query which works fine when a bind is used to supply a value for ?L_name. Seems like the injection test is simply broken. It seems to me that as long as the params are restricted to ints, strings and uris, then there is no opportunity for injection attacks. That should only happen with sparql fragments. Validating that ints are ints, uris are uris, and strings are strings,should be quite sufficient.

[eroux]

Well, while I agree with ints and uris, strings are a more difficult business because of quote escaping, that's the whole thing about injection...

[xristy]

So check for proper quote escaping. The lds-pdi is constructing the strings for the case of lucene string params and so is apparently already doing some escaping.

[eroux]

Well, that's what the injection detector is supposed to do, so I would do something else: reproduce the injection exception bug in a small code and report the bug to Jena...

[MarcAgate]

lds-pdi is not doing any escaping at all : it's passing parameters "as is" to the injectionTracker wich is in fact a wrapper of ParameterizedSparqlString jena Class. This class is in charge of "injecting" param values into the queryCommand, according to sparql syntax and injection tracking policies. Anyway, the issue is that this class is not behaving the same way in similars situations. We might decide to post a question to users@jena about this one, since it might be a bug. Isn't that weird to "solve the issue" by removing the FILTER (which does not involve any param, BTW) ? And even more wierd to not have any issue when addind a filter to a similar query?

[xristy]

The docs on the ParameterizedSparqlString are not clear on whether it checks for escaping in strings much less performs any escaping. It states it doesn't check sparql syntax.

The example query for Work_comment_fast uses "rgyud bla ma" vs the argument rgyud bla ma used in Work_comment. The same argument is used in Work_bibl_info_fast where the quotes must be escaped for the query to work properly. Somewhere the escaping is happening.

Working out a self-contained small test case to report as a bug, or perhaps to users@jena, is appropriate.

[MarcAgate]

Let's take Work_byName. The query passed to the tracker is:

select ?Work_ID ?Work_Name
where {
(?Work_ID ?sc ?Work_Name) text:query ?L_name .
?Work_ID a :Work.
}

and the parameter is "chos dbyings" (with double quotes)

After being processed by the tracker, we have:

SELECT  ?Work_ID ?Work_Name
WHERE
  { ( ?Work_ID ?sc ?Work_Name )
              text:query  "\"chos dbyings\"" .
    ?Work_ID  rdf:type    :Work
  }
LIMIT   500

so the proper escaping is done by ParameterizedSparqlString.

[xristy]

Perhaps the docs need some updating

[MarcAgate]

This was a Jena Bug. It's been fixed in the latest release.