NUnit Injection "Attack"

[Hosch250]

Versions:

• NUnit: v3.12.0
• NUnit3TestAdapter: v3.16.1
• Microsoft Visual Studio Community 2019: v16.5.4
• .NET Core: v3.1

Repro:

[TestCase("\")")]
public void Foo(string input){}

Error:
Running this results in the following error in the Tests output window:

An exception occurred while invoking executor 'executor://nunit3testexecutor/': Incorrect format for TestCaseFilter Error: Missing '('. Specify the correct format and try again. Note that the incorrect format can lead to no test getting executed.

It also breaks the Test Explorer:

I don't know if this is an issue with just the adapter or the runner being adapted; sorry if this ticket is in the wrong place.

[jnm2]

@Hosch250 Thanks for the report! The word choice 'attack' certainly got my attention, but I'm not seeing potential for an exploit. Let us know if that's not the case.

Duplicate of #691?

[Hosch250]

Nothing malicious that I know of (unless someone deliberately checked this into a project to break the tests). It just reminded me of the structure of a SQL Injection attack. Yes, this is a duplicate of that.