NHibernate gets crashed by a magic string

Question

Here is my trivial program:

public class Entity
{
  public virtual long Id { get; set; }
  public virtual string Payload { get; set; }
}

class Program
{
  static void Main( string[] args )
  {
    var config = new Configuration().Configure();
    var sessionFactory = config.BuildSessionFactory();
    using ( var session = sessionFactory.OpenSession() )
    {
      var entity = new Entity { Payload = "'))" }; 
      session.Save( entity );
    }
  }
}

As long as Payload property is assigned any innocent string such as 'Hi there' everything works as expected. However this particular magic string ')) makes NHibernate throw an exception: 'Index was out of range. Must be non-negative and less than the size of the collection' when it tries to save the entity.

I wonder why NHibernate cares of the parameter content. It really shouldn't.

Or maybe something is very wrong with this sample?

NHibernate version is 2.1

SQL script:

create table tblEntity
(
  EntityId BIGINT NOT NULL IDENTITY PRIMARY KEY
 ,Payload VARCHAR(10) NOT NULL
)

Mapping:

<?xml version="1.0" encoding="utf-8" ?>
<hibernate-mapping xmlns="urn:nhibernate-mapping-2.2">
  <class name="MyNamespace.Entity, MyAssembly" 
         table="tblEntity">
    <id name="Id" column="EntityId" unsaved-value="0">
      <generator class="identity"/>      
    </id>
    <property name="Payload"/>
  </class>
</hibernate-mapping>

NHibernate settings:

<hibernate-configuration xmlns="urn:nhibernate-configuration-2.2">
  <session-factory>
    <property name="dialect">NHibernate.Dialect.MsSql2005Dialect</property>
    <property name="connection.provider">NHibernate.Connection.DriverConnectionProvider</property>
    <property name="connection.driver_class">NHibernate.Driver.SqlClientDriver</property>
    <property name="connection.connection_string_name">Main</property>
    <property name="connection.isolation">ReadCommitted</property>
    <property name="default_schema">dbo</property>
    <property name="format_sql">true</property>
    <property name="query.substitutions">true=1;false=0</property>
    <property name="proxyfactory.factory_class">NHibernate.ByteCode.LinFu.ProxyFactoryFactory, NHibernate.ByteCode.LinFu</property>
    <mapping assembly="MyAssembly"/>
  </session-factory>
</hibernate-configuration>

Nothing special as you can see, not too much room for mistakes.

Stack Trace

System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
System.ThrowHelper.ThrowArgumentOutOfRangeException()
System.Collections.Generic.List`1.get_Item(Int32 index)
NHibernate.AdoNet.Util.BasicFormatter.FormatProcess.CloseParen()
NHibernate.AdoNet.Util.BasicFormatter.FormatProcess.Perform()
NHibernate.AdoNet.Util.BasicFormatter.Format(String source)
NHibernate.AdoNet.Util.SqlStatementLogger.LogCommand(String message, IDbCommand command, FormatStyle style)
NHibernate.AdoNet.Util.SqlStatementLogger.LogCommand(IDbCommand command, FormatStyle style)
NHibernate.AdoNet.AbstractBatcher.LogCommand(IDbCommand command)
NHibernate.AdoNet.AbstractBatcher.Prepare(IDbCommand cmd)
NHibernate.AdoNet.AbstractBatcher.ExecuteReader(IDbCommand cmd)
NHibernate.Id.IdentityGenerator.InsertSelectDelegate.ExecuteAndExtract(IDbCommand insert, ISessionImplementor session)
NHibernate.Id.Insert.AbstractReturningDelegate.PerformInsert(SqlCommandInfo insertSQL, ISessionImplementor session, IBinder binder)
NHibernate.Persister.Entity.AbstractEntityPersister.Insert(Object[] fields, Boolean[] notNull, SqlCommandInfo sql, Object obj, ISessionImplementor session)
NHibernate.Persister.Entity.AbstractEntityPersister.Insert(Object[] fields, Object obj, ISessionImplementor session)
NHibernate.Action.EntityIdentityInsertAction.Execute()
NHibernate.Engine.ActionQueue.Execute(IExecutable executable)
NHibernate.Event.Default.AbstractSaveEventListener.PerformSaveOrReplicate(Object entity, EntityKey key, IEntityPersister persister, Boolean useIdentityColumn, Object anything, IEventSource source, Boolean requiresImmediateIdAccess)
NHibernate.Event.Default.AbstractSaveEventListener.PerformSave(Object entity, Object id, IEntityPersister persister, Boolean useIdentityColumn, Object anything, IEventSource source, Boolean requiresImmediateIdAccess)
NHibernate.Event.Default.AbstractSaveEventListener.SaveWithGeneratedId(Object entity, String entityName, Object anything, IEventSource source, Boolean requiresImmediateIdAccess)
NHibernate.Event.Default.DefaultSaveOrUpdateEventListener.SaveWithGeneratedOrRequestedId(SaveOrUpdateEvent event)
NHibernate.Event.Default.DefaultSaveEventListener.SaveWithGeneratedOrRequestedId(SaveOrUpdateEvent event)
NHibernate.Event.Default.DefaultSaveOrUpdateEventListener.EntityIsTransient(SaveOrUpdateEvent event)
NHibernate.Event.Default.DefaultSaveEventListener.PerformSaveOrUpdate(SaveOrUpdateEvent event)
NHibernate.Event.Default.DefaultSaveOrUpdateEventListener.OnSaveOrUpdate(SaveOrUpdateEvent event)
NHibernate.Impl.SessionImpl.FireSave(SaveOrUpdateEvent event)
NHibernate.Impl.SessionImpl.Save(Object obj)

Answer 1

I have looked up the changes made to

src/NHibernate/AdoNet/Util/BasicFormatter.cs

there was an issue in NH 2.1 that caused this behavior, this was fixed in 2.1.1.GA.

Bugtracker: NH-1992

Changeset on github: Commit

Answer 2

I believe it might be a bug with NHibernate. When a command is logged (because you have show_sql set to true) it will write out your command and it will look something like this:

insert into tblEntity (Payload) VALUES(@p0); @p0 = ''(('

The logger then tries to tokenize the string and gets confused by the parentheses. Try submitting a bug to the NHibernate JIRA. In the meantime you can try turning off show_sql

Answer 3

I am not familiar with NHibernate, however what you are describing looks as if it might be the result of inadvertant SQL Injection Hopefully the linked wiki page might help.