🌐 AI搜索 & 代理 主页
Skip to content

C#: Add NHibernate SQL sinks #21012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hvitved wants to merge 3 commits into
base: main
Choose a base branch
from
Open

C#: Add NHibernate SQL sinks #21012

hvitved wants to merge 3 commits into from
+117 −59

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Dec 11, 2025

Thanks to @indy-singh for identifying the missing sinks.

@github-actions github-actions bot added the C# label Dec 11, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2257,159,4
+    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``NHibernate``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2257,162,4
-    Totals,,107,14505,407,9
+    Totals,,107,14505,410,9
  • Changes to framework-coverage-csharp.csv:
+ NHibernate,3,,,,,,,,,,,,3,,,,,,,,,,

@hvitved hvitved force-pushed the csharp/nhibernate-sql-sinks branch from 897e990 to 776f6cd Compare December 11, 2025 12:30
@hvitved hvitved marked this pull request as ready for review December 11, 2025 12:44
@hvitved hvitved requested a review from a team as a code owner December 11, 2025 12:44
Copilot AI review requested due to automatic review settings December 11, 2025 12:44
Copilot AI reviewed Dec 11, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for NHibernate SQL injection sinks by identifying three methods (CreateSQLQuery on ISession, IStatelessSession, and AbstractSessionImpl) as potential SQL injection entry points. This addresses a security gap previously identified in issue #21003.

Key changes:

  • Added NHibernate sink models for SQL injection detection
  • Created test cases validating the new sinks
  • Updated test expectations to include the new NHibernate findings

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
csharp/ql/lib/ext/NHibernate.model.yml Defines the three new SQL injection sinks for NHibernate
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionNHibernate.cs Adds test cases demonstrating SQL injection vulnerabilities through NHibernate
csharp/ql/test/query-tests/Security Features/CWE-089/options Configures test to load NHibernate stubs
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected Updates expected test results to include new NHibernate detections
csharp/ql/src/change-notes/2025-12-11-nhibernate-sql-sinks.md Documents the addition of NHibernate SQL injection sinks

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@hvitved hvitved requested a review from michaelnebel December 11, 2025 12:51
michaelnebel
michaelnebel approved these changes Dec 11, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent!
It will be interesting to see whether DCA reports more alerts 😄

@indy-singh
Copy link

indy-singh commented Dec 11, 2025

Would you guys be open to a PR with a few more sinks to do with Npgsql and Cassandra?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees

No one assigned

Labels

C# documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hvitved @indy-singh @michaelnebel