SqlServerDsc/tests/Unit/Private/ConvertTo-EscapedQueryString.Tests.ps1 at d597e91761241f77e47a2a075cb8f7477e702ea7 · johlju/SqlServerDsc · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
[System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '', Justification = 'Suppressing this rule because Script Analyzer does not understand Pester syntax.')]
param ()

BeforeDiscovery {
    try
    {
        if (-not (Get-Module -Name 'DscResource.Test'))
        {
            # Assumes dependencies have been resolved, so if this module is not available, run 'noop' task.
            if (-not (Get-Module -Name 'DscResource.Test' -ListAvailable))
            {
                # Redirect all streams to $null, except the error stream (stream 2)
                & "$PSScriptRoot/../../../build.ps1" -Tasks 'noop' 3>&1 4>&1 5>&1 6>&1 > $null
            }

            # If the dependencies have not been resolved, this will throw an error.
            Import-Module -Name 'DscResource.Test' -Force -ErrorAction 'Stop'
        }
    }
    catch [System.IO.FileNotFoundException]
    {
        throw 'DscResource.Test module dependency not found. Please run ".\build.ps1 -ResolveDependency -Tasks noop" first.'
    }
}

BeforeAll {
    $script:moduleName = 'SqlServerDsc'

    $env:SqlServerDscCI = $true

    Import-Module -Name $script:moduleName -ErrorAction 'Stop'

    $PSDefaultParameterValues['InModuleScope:ModuleName'] = $script:moduleName
    $PSDefaultParameterValues['Mock:ModuleName'] = $script:moduleName
    $PSDefaultParameterValues['Should:ModuleName'] = $script:moduleName
}

AfterAll {
    $PSDefaultParameterValues.Remove('InModuleScope:ModuleName')
    $PSDefaultParameterValues.Remove('Mock:ModuleName')
    $PSDefaultParameterValues.Remove('Should:ModuleName')

    Remove-Item -Path 'env:SqlServerDscCI'
}

Describe 'ConvertTo-EscapedQueryString' -Tag 'Private' {
    Context 'When escaping single quotes in query arguments' {
        It 'Should escape a single quote in an argument' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "SELECT * FROM Users WHERE Name = N'{0}'" -Argument "O'Brien"

                $result | Should -Be "SELECT * FROM Users WHERE Name = N'O''Brien'"
            }
        }

        It 'Should escape multiple single quotes in an argument' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "SELECT * FROM Users WHERE Name = N'{0}'" -Argument "O'Brien's"

                $result | Should -Be "SELECT * FROM Users WHERE Name = N'O''Brien''s'"
            }
        }

        It 'Should handle arguments without single quotes' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "SELECT * FROM Users WHERE Name = N'{0}'" -Argument 'Smith'

                $result | Should -Be "SELECT * FROM Users WHERE Name = N'Smith'"
            }
        }
    }

    Context 'When formatting a query with multiple arguments' {
        It 'Should escape single quotes in all arguments' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "EXECUTE sys.sp_adddistributor @distributor = N'{0}', @password = N'{1}';" -Argument 'Server1', "Pass'word;123"

                $result | Should -Be "EXECUTE sys.sp_adddistributor @distributor = N'Server1', @password = N'Pass''word;123';"
            }
        }

        It 'Should handle multiple arguments with single quotes' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "INSERT INTO Users (FirstName, LastName) VALUES (N'{0}', N'{1}')" -Argument "Mary's", "O'Connor"

                $result | Should -Be "INSERT INTO Users (FirstName, LastName) VALUES (N'Mary''s', N'O''Connor')"
            }
        }
    }

    Context 'When handling special characters that could be used for SQL injection' {
        It 'Should escape single quotes in passwords with special characters' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                # Password with single quote, semicolon, and dashes
                $result = ConvertTo-EscapedQueryString -Query "EXECUTE sys.sp_adddistributor @password = N'{0}';" -Argument "Pass'word;--DROP TABLE Users"

                $result | Should -Be "EXECUTE sys.sp_adddistributor @password = N'Pass''word;--DROP TABLE Users';"
            }
        }

        It 'Should handle argument with only single quotes' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "SELECT N'{0}'" -Argument "'''"

                $result | Should -Be "SELECT N''''''''"
            }
        }

        It 'Should handle empty string argument' {
            InModuleScope -ScriptBlock {
                Set-StrictMode -Version 1.0

                $result = ConvertTo-EscapedQueryString -Query "SELECT N'{0}'" -Argument ''

                $result | Should -Be "SELECT N''"
            }
        }
    }
}