Question about untrusted user input

[madjar]

Hi there!

First of all, thanks for publishing this set of rdf-related libraries, I've been having a lot of fun getting back in LD and using them.

I encountered something while building a small app on top of this, and I wondered if you might have some thoughts on this: how to handle (potentially untrusted) user input in SPARQL queries?

The two approaches I usually see in SQL are

• To use some form of placeholders in the query (eg WHERE id = ?). It doesn't seem to be an option in sparql-ex, nor in another implementation of SPARQL I was looking at (oxigraph).
• String concatenation with explicit escaping (though the previous option is often preferred). A few hits on stackoverflow (https://stackoverflow.com/questions/29601839/standard-regex-to-prevent-sparql-injection) suggest that this can be done in sparql by using triple quotes and escaping all backslashes, and single and double quotes.

Is that a topic you've encountered? If so, how do you usually deal with this?

I'd be happy to write a bit of documentation with what I can learn on the topic, if that sounds interesting to you.

[marcelotto]

Sorry, there's nothing available for dealing with this in SPARQL.ex yet. I would have tackled this when building a query DSL similarly as Ecto does it (which implements the first option you've mentioned), but I won't have time for this in the near future.

[madjar]

Oh, indeed, this is probably quite a bit of work :) I'll try the escaping mentioned on that stackoverflow answer, property test the hell out of it, and see how that goes.

On June 17, 2022, GitHub ***@***.***> wrote: Sorry, there's nothing available for dealing with this in SPARQL.ex yet. I would have tackled this when building a query DSL similarly as Ecto does it (which implements the first option you've mentioned), but I won't have time for this in the near future.

— Reply to this email directly, view it on GitHub <https://github.com/rdf- elixir/sparql-ex/issues/4#issuecomment-1159179440>, or unsubscribe <https://github.com/notifications/unsubscribe- auth/AAA2UVI4XQQGLEAF44KHE4LVPTIMPANCNFSM5ZCDI4NA>. You are receiving this because you authored the thread.Message ID: <rdf- ***@***.***>

[marcelotto]

👍 Would be great, if you could share the solution you end up with.

[madjar]

I'm stumbling upon this after all this time.

I ended up asking the same question to the folks of oxigraph (oxigraph/oxigraph#247), and their answer was to use the library's model objects, since it already has a "to_string" mechanism that escapes the values, presumably quite well tested.