This is a demo of unsecure and secure usage of PowerShell.AddScript()

PowerShellScriptInjectionTests.cs

namespace testSandbox
{
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Management.Automation;
    using System;
    using Microsoft.VisualStudio.TestTools.UnitTesting;

    public class LsHelper
    {
        public class LsResult
        {
            public IEnumerable<string> Files { get; set; }
            public ErrorRecord[] Errors { get; set; }

        }

        public static LsResult CallLsWithoutScript(string path)
        {
            using (PowerShell ps = PowerShell.Create())
            {
                ps.AddCommand("ls").AddParameter("Path", path).AddCommand("Foreach-Object").AddParameter("MemberName", "FullName");
                var res = ps.Invoke();
                return new LsResult()
                {
                    Errors = ps.Streams.Error.ToArray(),
                    Files = res.Where(x => x != null).Select(x => x.BaseObject).OfType<string>(),
                };
            }
        }

        public static LsResult CallLs(string path)
        {
            using (PowerShell ps = PowerShell.Create())
            {
                string script = String.Format("(ls {0}).FullName", path);
                ps.AddScript(script);
                var res = ps.Invoke();
                return new LsResult()
                {
                    Errors = ps.Streams.Error.ToArray(),
                    Files = res.Where(x => x != null).Select(x => x.BaseObject).OfType<string>(),
                };
            }
        }

        public static LsResult CallLsSecure(string path)
        {
            using (PowerShell ps = PowerShell.Create())
            {
                const string script = @"function CallLs($path) {return (ls $path).FullName}";
                ps.AddScript(script);
                ps.Invoke();
                ps.Commands.Clear();
                ps.AddCommand("CallLs").AddParameter("path", path);
                var res = ps.Invoke();
                return new LsResult()
                {
                    Errors = ps.Streams.Error.ToArray(),
                    Files = res.Where(x => x != null).Select(x => x.BaseObject).OfType<string>(),
                };
            }
        }
    }

    [TestClass]
    public class PowerShellScriptInjectionTests
    {
        private string tempFolder = @"D:\test";

        [TestInitialize]
        public void Init()
        {
            if (Directory.Exists(tempFolder))
            {
                using (PowerShell ps = PowerShell.Create())
                {
                    ps.AddScript("rm -rec " + tempFolder);
                    ps.Invoke();
                }
            }
            Directory.CreateDirectory(tempFolder);
            File.Create(Path.Combine(tempFolder, "1.txt"));
            File.Create(Path.Combine(tempFolder, "2.txt"));
        }

        [TestMethod]
        public void TestCallLs()
        {

            var lsResult = LsHelper.CallLs(tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(2, files.Count());
            Assert.AreEqual(0, lsResult.Errors.Count());
        }

        [TestMethod]
        public void TestCallLsSecure()
        {
            var lsResult = LsHelper.CallLsSecure(tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(2, files.Count());
            Assert.AreEqual(0, lsResult.Errors.Count());
        }

        [TestMethod]
        public void TestCallLsCommand()
        {
            var lsResult = LsHelper.CallLsWithoutScript(tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(2, files.Count());
            Assert.AreEqual(0, lsResult.Errors.Count());
        }

        [TestMethod]
        public void TestCallLsBadThingHappen()
        {
            var lsResult = LsHelper.CallLs("| Out-Null); mkdir " + tempFolder + @"\powned | Out-Null; (ls " + tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(3, files.Count());
            Assert.AreEqual(0, lsResult.Errors.Count());
        }
        
        [TestMethod]
        public void TestCallLsSecureBadThingHappen()
        {
            var lsResult = LsHelper.CallLsSecure("| Out-Null); mkdir " + tempFolder + @"\powned | Out-Null; (ls " + tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(0, files.Count());
            Assert.AreEqual(1, lsResult.Errors.Count());
            Assert.AreEqual(@"Cannot find drive. A drive with the name '| Out-Null); mkdir D' does not exist.", lsResult.Errors[0].ToString());
        }

        [TestMethod]
        public void TestCallLsCommandBadThingHappen()
        {
            var lsResult = LsHelper.CallLsWithoutScript("| Out-Null); mkdir " + tempFolder + @"\powned | Out-Null; (ls " + tempFolder);
            var files = lsResult.Files;
            Assert.AreEqual(0, files.Count());
            Assert.AreEqual(1, lsResult.Errors.Count());
            Assert.AreEqual(@"Cannot find drive. A drive with the name '| Out-Null); mkdir D' does not exist.", lsResult.Errors[0].ToString());
        }
    }
}