validate URIs somewhere

[gromgull]

Currently you can pass any old nonsense to URIRef constructor, and get very broken serializations out of RDFLib:

In [13]: g=rdflib.Graph()

In [14]: g.add((rdflib.URIRef("LOL I'm not really a URI at all! <> <> :)"), rdflib.RDF.type, rdflib.RDFS.Class))

In [15]: print g.serialize(format='n3')
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .

<LOL I'm not really a URI at all! <> <> :)> a rdfs:Class .

We should probably validate URIs at some point.

Graham points to https://pypi.python.org/pypi/rfc3987

I am slightly worried about performance, maybe a test is in order.

This issue was distilled out of #263

[drewp]

This may even be a security hole:
catPic = URIRef(raw_input("URI to your cat picture: "))
I can enter "http://example.com/user/drewp> a :Admin . <http://example.com/my/cat/pic"
which will generate an extra n3 statement.

[joernhees]

RDF injection, little bobby tables calling

This depends on the chosen serialization though: xml seems to be more robust:

In [1]: import rdflib

In [2]: g=rdflib.Graph()

In [3]: g.add((rdflib.URIRef("http://foo\">'\\\""), rdflib.RDF.type, rdflib.RDFS.Class))

In [4]: print g.serialize(format='xml')
<?xml version="1.0" encoding="UTF-8"?>
<rdf:RDF
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
>
  <rdf:Description rdf:about="http://foo&quot;&gt;'\&quot;">
    <rdf:type rdf:resource="http://www.w3.org/2000/01/rdf-schema#Class"/>
  </rdf:Description>
</rdf:RDF>

From this POV it is a serializer bug.
Still I'd somehow also speak in favor of checking URI Validity on URIRef creation.

[uholzer]

Same problem with URIRef.n3(), which I sometimes use to construct SPARQL queries:

>>> URIRef("foo:> <bar:").n3()
'<foo:> <bar:>'

[gromgull]

I tested the rfc module, it is a bit slow - instead I just check for some invalid characters: <>" {}|^`

In my opinion this is a good tradeoff between speed, correctness and not allowing you you to shoot yourself TOO much in the foot.

[dgerber]

Did you test it with the compiled regex? It takes about 1e-6 to 1e-3 sec. on my cheap laptop (although I'm not sure how slow it would be for really pathological test cases):

In [2]: setup = '''import rfc3987
match = rfc3987.get_compiled_pattern("^%(IRI)s$").match
test = '''
In [3]: stmt = 'match(test)'

In [6]: timeit.timeit(stmt, setup+'u"http://ヒキワリ.ナットウ.ニホン"') / 1e6
Out[6]: 6.132636070251465e-06

In [7]: timeit.timeit(stmt, setup+'u"http://www.w3.org/International/articles/idn-and-iri/JP納豆/引き割り納豆.html"') / 1e6
Out[7]: 4.8285482883453366e-05

In [10]: timeit.timeit(stmt, setup+'u"http://stackoverflow.com/questions/2891574/how-do-i-resolve-a-http-414-request-uri-too-long-error?length=4000#'+4000*'0'+'"', number=1000) / 1e3
Out[10]: 0.0010755550861358642

In [11]: setup0 = '''import rdflib
match = rdflib.term._is_valid_uri
test = '''

In [12]: timeit.timeit(stmt, setup0+'u"http://stackoverflow.com/questions/2891574/how-do-i-resolve-a-http-414-request-uri-too-long-error?length=4000#'+4000*'0'+'"', number=1000) / 1e3
Out[12]: 6.966686248779297e-05

In [13]: timeit.timeit(stmt, setup0+'u"http://www.w3.org/International/articles/idn-and-iri/JP納豆/引き割り納豆.html"') / 1e6
Out[13]: 5.024517059326172e-06

In [14]: timeit.timeit(stmt, setup0+'u"http://ヒキワリ.ナットウ.ニホン"') / 1e6
Out[14]: 4.335633993148804e-06

[gromgull]

This is a whole 6 times slower than the crappy solution! We dont have that sort of time - RDFLib is a high-performance project! ;)

I was also reluctant to add another dependency, it's tiny and if you install with pip or something else that fetches dependencies automatically, it's not a problem, but not everyone does.

I guess I could just copy the regex in question into rdflib ...

(Also I wonder about that regex, it has several character ranges in the high unicode range (>#ffff) - as I discovered when doing the sparql parser, these do not work at all in "narrow python" builds, i.e. the default osx/win builds. Some more details here: https://github.com/RDFLib/rdflib/blob/master/rdflib/plugins/sparql/parser.py#L135

[gromgull]

@dgerber Oh I see you are even the rfc3987 author! Then it may interest you that on the pypi page you say that rfc3896 is the URI one, but it's actually 3986...

[uholzer]

I just discovered that we have the same problem with languages of literals!

>>> l = Literal('foo', lang='en . <my> <own> <triple>')
>>> l.n3()
'"foo"@en . <my> <own> <triple>'
>>> g = Graph()
>>> g.add((URIRef("a:a"), URIRef("a:b"), l))
>>> print(g.serialize(format="turtle").decode("UTF-8"))
@prefix ns1: <a:> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix xml: <http://www.w3.org/XML/1998/namespace> .

ns1:a ns1:b "foo"@en . <my> <own> <triple> .

[dgerber]

OK, this should give an incorrect one, but at least compilable in narrow-minded builds:

'^%s$' % rfc3987._interpret_unicode_escapes(re.sub(r'\\U[0-9A-F]{8}-\\U[0-9A-F]{8}', '', rfc3987.format_patterns()['IRI']))

Note the ~4000 chars long URI is actually 14 times slower... Maybe allowing for a non-validating constructor would make the high-performance-expecting happier.

(@gromgull Thanks for the typo)