search

vivo-project / VIVO

VIVO is an extensible semantic web application for research discovery and showcasing scholarly work
http://vivoweb.org
BSD 3-Clause "New" or "Revised" License
202 stars 127 forks source link

Sparql query data getter ivalid substitution errors appear in log files #3970

Closed litvinovg closed 2 months ago

litvinovg commented 3 months ago

Describe the bug While opening VIVO home page error appeared in tomcat log file. Error happens due to substitution of environment variable that doesn't exists in sparql query text in case sparql query data getter doesn't have any variable substitution specified for backward compatibility.

To Reproduce Steps to reproduce the behavior:

  1. Build VIVO
  2. Log in
  3. Activate developer panel
  4. In developer panel check "Insert HTML comments at start and end of templates"
  5. Open home page

Expected behavior A clear and concise description of what you expected to happen.

Stack trace WARN [FreemarkerConfigurationImpl] org.apache.jena.sparql.ARQException: Value for the parameter contains a SPARQL injection risk org.apache.jena.sparql.ARQException: Value for the parameter contains a SPARQL injection risk at org.apache.jena.query.ParameterizedSparqlString.validateParameterValue(ParameterizedSparqlString.java:630) at org.apache.jena.query.ParameterizedSparqlString.setParam(ParameterizedSparqlString.java:692) at org.apache.jena.query.ParameterizedSparqlString.setIri(ParameterizedSparqlString.java:760) at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.lambda$bindParameters$7(SparqlQueryDataGetter.java:226) at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.substitute(SparqlQueryDataGetter.java:243) at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.bindParameters(SparqlQueryDataGetter.java:225) at edu.cornell.mannlib.vitro.webapp.utils.dataGetter.SparqlQueryDataGetter.getData(SparqlQueryDataGetter.java:172) at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.applyDataGetter(FreemarkerConfigurationImpl.java:234) at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.retrieveAndRunDataGetters(FreemarkerConfigurationImpl.java:197) at edu.cornell.mannlib.vitro.webapp.freemarker.config.FreemarkerConfigurationImpl.getTemplate(FreemarkerConfigurationImpl.java:166)

Additional information ERROR [SparqlQueryDataGetter] Exception happend while trying to substitute value

of variable body in query

PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
PREFIX vivo: <http://vivoweb.org/ontology/core#>

SELECT DISTINCT ?theURI ?name
WHERE
{
      ?theURI a vivo:AcademicDepartment .
      ?theURI rdfs:label ?name .
}

Environment (please complete the following information):