SqlReplication: Fix T-SQL string escaping

[johlju]

Pull Request (PR) description

• Introduced ConvertTo-SqlString to escape strings for T-SQL literals.
• Introduced ConvertTo-EscapedQueryString to format queries with escaped arguments.
• Updated Install-RemoteDistributor to utilize these functions for escaping T-SQL arguments.
• Added unit tests for both new functions to ensure proper functionality and security.

This Pull Request (PR) fixes the following issues

• Fixes Add SQL injection prevention utility for T-SQL parameter embedding #2442

Task list

• Added an entry to the change log under the Unreleased section of the
  file CHANGELOG.md. Entry should say what was changed and how that
  affects users (if applicable), and reference the issue being resolved
  (if applicable).
• Resource documentation updated in the resource's README.md.
• Resource parameter descriptions updated in schema.mof.
• Comment-based help updated, including parameter descriptions.
• Localization strings updated.
• Examples updated.
• Unit tests updated. See DSC Community Testing Guidelines.
• Integration tests updated (where possible). See DSC Community Testing Guidelines.
• Code changes adheres to DSC Community Style Guidelines.

---

This change is 

[coderabbitai]

Walkthrough

Adds two private SQL-escaping helpers (ConvertTo-SqlString, ConvertTo-EscapedQueryString), updates DSC_SqlReplication's Install-RemoteDistributor to use escaped values for SQL Server 2025, and adds Pester unit tests for the new utilities and escaping behavior.

Changes

Cohort / File(s)	Summary
Private helpers source/Private/ConvertTo-SqlString.ps1, source/Private/ConvertTo-EscapedQueryString.ps1	Added ConvertTo-SqlString to escape single quotes in T-SQL string literals and ConvertTo-EscapedQueryString to escape an arguments array and format a query template.
DSC resource change source/DSCResources/DSC_SqlReplication/DSC_SqlReplication.psm1	Install-RemoteDistributor now escapes the remote distributor name and admin password (doubling single quotes) when constructing the sp_adddistributor T-SQL for SQL Server 2025; RedactText updated to use escaped password.
Unit tests tests/Unit/Private/ConvertTo-SqlString.Tests.ps1, tests/Unit/Private/ConvertTo-EscapedQueryString.Tests.ps1	Added comprehensive Pester tests covering single-quote escaping, multi-argument formatting, special characters, empty and quote-only inputs, and integration between the two helpers.
Changelog CHANGELOG.md	Updated Unreleased section to list the two new private helpers and the DSC_SqlReplication update for SQL Server 2025 special-character handling; removed a prior "Changed" line.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is directly related to the changeset, outlining the introduction of two escaping functions, their integration into Install-RemoteDistributor, unit tests, and referencing issue #2442.
Linked Issues check	✅ Passed	The PR fully addresses issue #2442 requirements: implements ConvertTo-SqlString for escaping single quotes, ConvertTo-EscapedQueryString for query formatting, applies utilities to Install-RemoteDistributor, includes comprehensive unit tests, and handles passwords and special characters safely.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue objectives: new private functions for SQL escaping, their unit tests, updates to Install-RemoteDistributor, and a CHANGELOG entry documenting the additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'SqlReplication: Fix T-SQL string escaping' accurately reflects the main changes: new T-SQL string escaping functions added and applied to Install-RemoteDistributor to fix security vulnerabilities.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@CHANGELOG.md`:
- Around line 8-20: Condense the three “Added” bullets into two items by merging
the two SqlServerDsc entries: replace the separate bullets for
ConvertTo-SqlString and ConvertTo-EscapedQueryString with a single SqlServerDsc
entry that briefly notes both private helper functions (ConvertTo-SqlString and
ConvertTo-EscapedQueryString) were added to safely escape T-SQL string literals
and query arguments, and keep the SqlReplication entry for
Install-RemoteDistributor as the second item mentioning it now escapes T-SQL
arguments for SQL Server 2025; ensure wording is concise and follows the ≤2
items per change type rule.

In `@source/Private/ConvertTo-EscapedQueryString.ps1`:
- Around line 38-41: Update the comment-based help in
ConvertTo-EscapedQueryString.ps1 so each OUTPUTS entry lists the return type as
inline code (e.g., `System.String`) followed by a one-line description, and
apply this change to both occurrences (around the shown block and lines 66-69);
also rename the short loop variable `$arg` to a descriptive name of 3+
characters (for example `$argument` or `$item`) throughout the
ConvertTo-EscapedQueryString function and any related loops/blocks to comply
with the naming guideline.

In `@source/Private/ConvertTo-SqlString.ps1`:
- Around line 38-41: The .OUTPUTS section in the comment-based help for
ConvertTo-SqlString is using a plain type token; update the .OUTPUTS block so
the return type is formatted as inline code (e.g., surround the type with inline
code markers) and keep a one-line description stating "Returns the escaped
string with single quotes doubled." Ensure the .OUTPUTS entry is a single-line
with the inline-coded type followed by the short description to match the help
formatting rules.

[codecov]

Codecov Report

❌ Patch coverage is 63.63636% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 94%. Comparing base (dfe01bc) to head (d597e91).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...sources/DSC_SqlReplication/DSC_SqlReplication.psm1	0%	4 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #2445   +/-   ##
=====================================
- Coverage     94%     94%   -1%     
=====================================
  Files        225     227    +2     
  Lines      10769   10778    +9     
=====================================
+ Hits       10142   10149    +7     
- Misses       627     629    +2     

Flag	Coverage Δ
unit	94% <63%> (-1%)	⬇️

Files with missing lines	Coverage Δ
source/Private/ConvertTo-EscapedQueryString.ps1	100% <100%> (ø)
source/Private/ConvertTo-SqlString.ps1	100% <100%> (ø)
...sources/DSC_SqlReplication/DSC_SqlReplication.psm1	61% <0%> (-1%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.