It is possible to craft raw SQL strings with Entity Framework implementations that just allow attackers to do SQL injection attacks!

using System;
using System.Collections.Generic;
using System.Linq;
using DataAccessLayer.Models;
using Microsoft.EntityFrameworkCore;
namespace DataAccessLayer.Filters.Entity
{
   public static partial class Filters
   {
      public static List<dbo.Foo> GetFoo(this DbSet<Foo> DbSet, string bar) =>
         DbSet.FromSqlRaw("select * from Foo where Baz = '{0}'", bar)
            .Include(x => x.Qux)
            .OrderBy(x => x.Id)
            .ToList();
   }
}

 
 

The .Include here will drag along the joined Qux for each Foo if there is one I think.