nhibernate-core icon indicating copy to clipboard operation
nhibernate-core copied to clipboard
verified publisher icon nhibernate

Invalid ObjectToSQLString in EnumStringType

Open fredericDelaporte opened this issue 1 year ago • 0 comments

While working on a fix for #3516 in #3547, the case of EnumStringType.ObjectToSQLString appeared to be invalid on another level.

https://github.com/nhibernate/nhibernate-core/blob/e8028fb802a13d02938cdccf81a33252821b8b02/src/NHibernate/Type/EnumStringType.cs#L192-L195

That type stores enum values as strings in the database. But its method for obtaining SQL compatible literal values just yields the enum value name (or string representation of the underlying type value if not named) as is, not as a SQL string literal.

So, using that type for the few features relying on ObjectToSQLString is very likely to fail. (So, using it as a discriminator, or in a query referencing a static field.)

But it does not allow a practical SQL injection since it is limited to inject a single word having .Net identifier naming constraints. So, I will not fix this in #3547 but I open an issue instead.

fredericDelaporte avatar Jun 09 '24 16:06 fredericDelaporte