Add injection test cases

Author: fredericDelaporte

src/NHibernate.Test/Async/NHSpecificTest/GH3516/FixtureByCode.cs

@@ -0,0 +1,65 @@
+//------------------------------------------------------------------------------
+// <auto-generated>
+//     This code was generated by AsyncGenerator.
+//
+//     Changes to this file may cause incorrect behavior and will be lost if
+//     the code is regenerated.
+// </auto-generated>
+//------------------------------------------------------------------------------
+
+
+using NHibernate.Cfg.MappingSchema;
+using NHibernate.Mapping.ByCode;
+using NUnit.Framework;
+
+namespace NHibernate.Test.NHSpecificTest.GH3516
+{
+	using System.Threading.Tasks;
+	[TestFixture]
+	public class FixtureByCodeAsync : TestCaseMappingByCode
+	{
+		protected override HbmMapping GetMappings()
+		{
+			var mapper = new ModelMapper();
+			mapper.Class<Entity>(rc =>
+			{
+				rc.Id(x => x.Id, m => m.Generator(Generators.GuidComb));
+				rc.Property(x => x.Name);
+			});
+			return mapper.CompileMappingForAllExplicitlyAddedEntities();
+		}
+
+		protected override void OnSetUp()
+		{
+			using var session = OpenSession();
+			using var transaction = session.BeginTransaction();
+			var e = new Entity { Name = Entity.NameWithSingleQuote };
+			session.Save(e);
+			e = new Entity { Name = Entity.NameWithEscapedSingleQuote };
+			session.Save(e);
+
+			transaction.Commit();
+		}
+
+		protected override void OnTearDown()
+		{
+			using var session = OpenSession();
+			using var transaction = session.BeginTransaction();
+			session.CreateQuery("delete from System.Object").ExecuteUpdate();
+
+			transaction.Commit();
+		}
+
+		[Test]
+		public async Task SqlInjectionInStringsAsync()
+		{
+			using var session = OpenSession();
+
+			var list = await (session.CreateQuery("from Entity e where e.Name = Entity.NameWithSingleQuote").ListAsync<Entity>());
+			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithSingleQuote)}");
+
+			list = await (session.CreateQuery("from Entity e where e.Name = Entity.NameWithEscapedSingleQuote").ListAsync<Entity>());
+			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithEscapedSingleQuote)}");
+		}
+	}
+}

src/NHibernate.Test/NHSpecificTest/GH3516/Entity.cs

@@ -0,0 +1,14 @@
+using System;
+
+namespace NHibernate.Test.NHSpecificTest.GH3516
+{
+	public class Entity
+	{
+		public virtual Guid Id { get; set; }
+		public virtual string Name { get; set; }
+
+		public const string NameWithSingleQuote = "'; drop table Entity; --";
+
+		public const string NameWithEscapedSingleQuote = @"\'; drop table Entity; --";
+	}
+}

src/NHibernate.Test/NHSpecificTest/GH3516/FixtureByCode.cs

@@ -0,0 +1,54 @@
+using NHibernate.Cfg.MappingSchema;
+using NHibernate.Mapping.ByCode;
+using NUnit.Framework;
+
+namespace NHibernate.Test.NHSpecificTest.GH3516
+{
+	[TestFixture]
+	public class FixtureByCode : TestCaseMappingByCode
+	{
+		protected override HbmMapping GetMappings()
+		{
+			var mapper = new ModelMapper();
+			mapper.Class<Entity>(rc =>
+			{
+				rc.Id(x => x.Id, m => m.Generator(Generators.GuidComb));
+				rc.Property(x => x.Name);
+			});
+			return mapper.CompileMappingForAllExplicitlyAddedEntities();
+		}
+
+		protected override void OnSetUp()
+		{
+			using var session = OpenSession();
+			using var transaction = session.BeginTransaction();
+			var e = new Entity { Name = Entity.NameWithSingleQuote };
+			session.Save(e);
+			e = new Entity { Name = Entity.NameWithEscapedSingleQuote };
+			session.Save(e);
+
+			transaction.Commit();
+		}
+
+		protected override void OnTearDown()
+		{
+			using var session = OpenSession();
+			using var transaction = session.BeginTransaction();
+			session.CreateQuery("delete from System.Object").ExecuteUpdate();
+
+			transaction.Commit();
+		}
+
+		[Test]
+		public void SqlInjectionInStrings()
+		{
+			using var session = OpenSession();
+
+			var list = session.CreateQuery("from Entity e where e.Name = Entity.NameWithSingleQuote").List<Entity>();
+			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithSingleQuote)}");
+
+			list = session.CreateQuery("from Entity e where e.Name = Entity.NameWithEscapedSingleQuote").List<Entity>();
+			Assert.That(list, Has.Count.EqualTo(1), $"Unable to find entity with name {nameof(Entity.NameWithEscapedSingleQuote)}");
+		}
+	}
+}