Add a test for special characters

fredericDelaporte · fredericDelaporte · commit f079965a13e7 · 2024-05-19T21:28:21.000+02:00
diff --git a/src/NHibernate.Test/Async/NHSpecificTest/GH3516/FixtureByCode.cs b/src/NHibernate.Test/Async/NHSpecificTest/GH3516/FixtureByCode.cs
@@ -8,6 +8,7 @@
 //------------------------------------------------------------------------------
 
 
+using System;
 using NHibernate.Cfg.MappingSchema;
 using NHibernate.Mapping.ByCode;
 using NUnit.Framework;
@@ -61,5 +62,69 @@ public async Task SqlInjectionInStringsAsync()
 			list = await (session.CreateQuery("from Entity e where e.Name = Entity.NameWithEscapedSingleQuote").ListAsync<Entity>());
 			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithEscapedSingleQuote)}");
 		}
+
+		private static readonly string[] _specialNames =
+			new[]
+			{
+				"\0; drop table Entity; --",
+				"\b; drop table Entity; --",
+				"\n; drop table Entity; --",
+				"\r; drop table Entity; --",
+				"\t; drop table Entity; --",
+				"\x1A; drop table Entity; --",
+				"\"; drop table Entity; --",
+				"\\; drop table Entity; --"
+			};
+
+		[TestCaseSource(nameof(_specialNames))]
+		public async Task StringsWithSpecialCharactersAsync(string name)
+		{
+			// We may not even be able to insert the entity.
+			var wasInserted = false;
+			try
+			{
+				using var s = OpenSession();
+				using var t = s.BeginTransaction();
+				var e = new Entity { Name = name };
+				await (s.SaveAsync(e));
+				await (t.CommitAsync());
+
+				wasInserted = true;
+			}
+			catch (Exception e)
+			{
+				Assert.Warn($"The entity insertion failed with message {e}");
+			}
+
+			try
+			{
+				using var session = OpenSession();
+				Entity.NameWithPotentiallyTroublesomeCharacters = name;
+				var list = await (session.CreateQuery("from Entity e where e.Name = Entity.NameWithPotentiallyTroublesomeCharacters").ListAsync<Entity>());
+				if (wasInserted && list.Count != 1)
+					Assert.Warn($"Unable to find entity with name {nameof(Entity.NameWithPotentiallyTroublesomeCharacters)}");
+			}
+			catch (Exception e)
+			{
+				Assert.Warn($"The query has failed with message {e}");
+			}
+
+			// Check the db is not wrecked.
+			if (wasInserted)
+			{
+				using var session = OpenSession();
+				var list = await (session
+					.CreateQuery("from Entity e where e.Name = :name")
+					.SetString("name", name)
+					.ListAsync<Entity>());
+				Assert.That(list, Has.Count.EqualTo(1));
+			}
+			else
+			{
+				using var session = OpenSession();
+				var all = await (session.CreateQuery("from Entity e").ListAsync<Entity>());
+				Assert.That(all, Has.Count.GreaterThan(0));
+			}
+		}
 	}
 }
diff --git a/src/NHibernate.Test/NHSpecificTest/GH3516/Entity.cs b/src/NHibernate.Test/NHSpecificTest/GH3516/Entity.cs
@@ -10,5 +10,7 @@ public class Entity
 		public const string NameWithSingleQuote = "'; drop table Entity; --";
 
 		public const string NameWithEscapedSingleQuote = @"\'; drop table Entity; --";
+
+		public static string NameWithPotentiallyTroublesomeCharacters;
 	}
 }
diff --git a/src/NHibernate.Test/NHSpecificTest/GH3516/FixtureByCode.cs b/src/NHibernate.Test/NHSpecificTest/GH3516/FixtureByCode.cs
@@ -1,4 +1,5 @@
-﻿using NHibernate.Cfg.MappingSchema;
+﻿using System;
+using NHibernate.Cfg.MappingSchema;
 using NHibernate.Mapping.ByCode;
 using NUnit.Framework;
 
@@ -50,5 +51,69 @@ public void SqlInjectionInStrings()
 			list = session.CreateQuery("from Entity e where e.Name = Entity.NameWithEscapedSingleQuote").List<Entity>();
 			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithEscapedSingleQuote)}");
 		}
+
+		private static readonly string[] _specialNames =
+			new[]
+			{
+				"\0; drop table Entity; --",
+				"\b; drop table Entity; --",
+				"\n; drop table Entity; --",
+				"\r; drop table Entity; --",
+				"\t; drop table Entity; --",
+				"\x1A; drop table Entity; --",
+				"\"; drop table Entity; --",
+				"\\; drop table Entity; --"
+			};
+
+		[TestCaseSource(nameof(_specialNames))]
+		public void StringsWithSpecialCharacters(string name)
+		{
+			// We may not even be able to insert the entity.
+			var wasInserted = false;
+			try
+			{
+				using var s = OpenSession();
+				using var t = s.BeginTransaction();
+				var e = new Entity { Name = name };
+				s.Save(e);
+				t.Commit();
+
+				wasInserted = true;
+			}
+			catch (Exception e)
+			{
+				Assert.Warn($"The entity insertion failed with message {e}");
+			}
+
+			try
+			{
+				using var session = OpenSession();
+				Entity.NameWithPotentiallyTroublesomeCharacters = name;
+				var list = session.CreateQuery("from Entity e where e.Name = Entity.NameWithPotentiallyTroublesomeCharacters").List<Entity>();
+				if (wasInserted && list.Count != 1)
+					Assert.Warn($"Unable to find entity with name {nameof(Entity.NameWithPotentiallyTroublesomeCharacters)}");
+			}
+			catch (Exception e)
+			{
+				Assert.Warn($"The query has failed with message {e}");
+			}
+
+			// Check the db is not wrecked.
+			if (wasInserted)
+			{
+				using var session = OpenSession();
+				var list = session
+					.CreateQuery("from Entity e where e.Name = :name")
+					.SetString("name", name)
+					.List<Entity>();
+				Assert.That(list, Has.Count.EqualTo(1));
+			}
+			else
+			{
+				using var session = OpenSession();
+				var all = session.CreateQuery("from Entity e").List<Entity>();
+				Assert.That(all, Has.Count.GreaterThan(0));
+			}
+		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -10,5 +10,7 @@ public class Entity`
`10`	`10`	`public const string NameWithSingleQuote = "'; drop table Entity; --";`
`11`	`11`
`12`	`12`	`public const string NameWithEscapedSingleQuote = @"\'; drop table Entity; --";`
	`13`	`+`
	`14`	`+ public static string NameWithPotentiallyTroublesomeCharacters;`
`13`	`15`	`}`
`14`	`16`	`}`