标准正则表达式可防止SPARQL注入? [英] Standard regex to prevent SPARQL injection?
问题描述
我正在Scala中开发RESTful API,该API将SPARQL查询发送到Triplestore。我阅读了文章,其中介绍了用户定义参数(URL中的URL参数)时SPARQL注入的威胁HTTP get请求)直接放在SPARQL中(例如,在全文搜索中)。
I am developing a RESTful API in scala that sends SPARQL-queries to a triplestore. I read an article about the threat of SPARQL-injections when user defined params (URL params in a HTTP get request) are directly put in the SPARQL (e.g. in a fulltext search).
我看到了一些针对Jena的特定解决方案(使用其Java API),这些解决方案对我。
I saw some Jena specific solutions (using its Java API) that are not useful for me.
是否存在某种标准的正则表达式搜索和替换模式,以逃避应集成在SPARQL查询中的字符串中的恶意字符?
Is there some kind of standard regex search and replace pattern to escape malicious characters in a string that should be integrated in a SPARQL-query?
推荐答案
如果用户输入在查询中进入字符串文字:
If the user input goes into a string literal within the query:
- 使用三引号形式:
...或'''...''' - 在用户输入中使用反斜杠添加任何反斜杠,单引号或双引号
ES6示例:
const escapeForTurtle: s => s.replace(/(["'\\])/g, '\\$1')
const query = `SELECT * { ?x :name """${escapeForTurtle(name)}""" }`
这足以防止异常注入和语法错误用户输入。
This is enough to prevent injection and syntax errors from unusual user input.
根据三重存储,如果要确保绝对有可能的所有用户输入都到达存储中而不会丢失任何字符,则可能需要做一些额外的工作输入 \\u0022 是一个很好的测试用例。如果不做任何修改,就应该是安全的。
Depending on the triple store, some extra work might be required if you want to make sure that absolutely every possible user input arrives in the store without any lost characters or extra backslashes. The input \\u0022 is a good test case. If that goes through without modification, you should be safe and done.
这篇关于标准正则表达式可防止SPARQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
