Add test for char

fredericDelaporte · fredericDelaporte · commit bf8800617b51 · 2024-05-26T19:47:08.000+02:00
diff --git a/src/NHibernate.Test/Async/NHSpecificTest/GH3516/FixtureByCode.cs b/src/NHibernate.Test/Async/NHSpecificTest/GH3516/FixtureByCode.cs
@@ -9,6 +9,7 @@
 
 
 using System;
+using System.Collections.Generic;
 using NHibernate.Cfg.MappingSchema;
 using NHibernate.Mapping.ByCode;
 using NUnit.Framework;
@@ -26,6 +27,7 @@ protected override HbmMapping GetMappings()
 			{
 				rc.Id(x => x.Id, m => m.Generator(Generators.GuidComb));
 				rc.Property(x => x.Name);
+				rc.Property(x => x.Initial);
 			});
 			return mapper.CompileMappingForAllExplicitlyAddedEntities();
 		}
@@ -34,9 +36,9 @@ protected override void OnSetUp()
 		{
 			using var session = OpenSession();
 			using var transaction = session.BeginTransaction();
-			var e = new Entity { Name = Entity.NameWithSingleQuote };
+			var e = new Entity { Name = Entity.NameWithSingleQuote, Initial = Entity.QuoteInitial };
 			session.Save(e);
-			e = new Entity { Name = Entity.NameWithEscapedSingleQuote };
+			e = new Entity { Name = Entity.NameWithEscapedSingleQuote, Initial = Entity.BackslashInitial };
 			session.Save(e);
 
 			transaction.Commit();
@@ -132,5 +134,22 @@ public async Task StringsWithSpecialCharactersAsync(string name)
 				Assert.That(all, Has.Count.GreaterThan(0));
 			}
 		}
+
+		private static readonly string[] _charInjectionsProperties =
+			new[]
+			{
+				nameof(Entity.QuoteInitial),
+				nameof(Entity.BackslashInitial)
+			};
+
+		[TestCaseSource(nameof(_charInjectionsProperties))]
+		public void SqlInjectionInCharAsync(string propertyName)
+		{
+			using var session = OpenSession();
+			var query = session.CreateQuery($"from Entity e where e.Initial = Entity.{propertyName}");
+			IList<Entity> list = null;
+			Assert.That(async () => list = await (query.ListAsync<Entity>()), Throws.Nothing);
+			Assert.That(list, Is.Not.Null.And.Count.EqualTo(1), $"Unable to find entity with initial {propertyName}");
+		}
 	}
 }
diff --git a/src/NHibernate.Test/NHSpecificTest/GH3516/Entity.cs b/src/NHibernate.Test/NHSpecificTest/GH3516/Entity.cs
@@ -6,6 +6,11 @@ public class Entity
 	{
 		public virtual Guid Id { get; set; }
 		public virtual string Name { get; set; }
+		public virtual char Initial { get; set; }
+
+		public const char QuoteInitial = '\'';
+
+		public const char BackslashInitial = '\\';
 
 		public const string NameWithSingleQuote = "'; drop table Entity; --";
 
diff --git a/src/NHibernate.Test/NHSpecificTest/GH3516/FixtureByCode.cs b/src/NHibernate.Test/NHSpecificTest/GH3516/FixtureByCode.cs
@@ -1,4 +1,5 @@
 ﻿using System;
+using System.Collections.Generic;
 using NHibernate.Cfg.MappingSchema;
 using NHibernate.Mapping.ByCode;
 using NUnit.Framework;
@@ -15,6 +16,7 @@ protected override HbmMapping GetMappings()
 			{
 				rc.Id(x => x.Id, m => m.Generator(Generators.GuidComb));
 				rc.Property(x => x.Name);
+				rc.Property(x => x.Initial);
 			});
 			return mapper.CompileMappingForAllExplicitlyAddedEntities();
 		}
@@ -23,9 +25,9 @@ protected override void OnSetUp()
 		{
 			using var session = OpenSession();
 			using var transaction = session.BeginTransaction();
-			var e = new Entity { Name = Entity.NameWithSingleQuote };
+			var e = new Entity { Name = Entity.NameWithSingleQuote, Initial = Entity.QuoteInitial };
 			session.Save(e);
-			e = new Entity { Name = Entity.NameWithEscapedSingleQuote };
+			e = new Entity { Name = Entity.NameWithEscapedSingleQuote, Initial = Entity.BackslashInitial };
 			session.Save(e);
 
 			transaction.Commit();
@@ -121,5 +123,22 @@ public void StringsWithSpecialCharacters(string name)
 				Assert.That(all, Has.Count.GreaterThan(0));
 			}
 		}
+
+		private static readonly string[] _charInjectionsProperties =
+			new[]
+			{
+				nameof(Entity.QuoteInitial),
+				nameof(Entity.BackslashInitial)
+			};
+
+		[TestCaseSource(nameof(_charInjectionsProperties))]
+		public void SqlInjectionInChar(string propertyName)
+		{
+			using var session = OpenSession();
+			var query = session.CreateQuery($"from Entity e where e.Initial = Entity.{propertyName}");
+			IList<Entity> list = null;
+			Assert.That(() => list = query.List<Entity>(), Throws.Nothing);
+			Assert.That(list, Is.Not.Null.And.Count.EqualTo(1), $"Unable to find entity with initial {propertyName}");
+		}
 	}
 }
