forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #154 from microsoft/invoke-expression-ps-query
invoke expression powershell query
- Loading branch information
Showing
5 changed files
with
53 additions
and
0 deletions.
There are no files selected for viewing
16 changes: 16 additions & 0 deletions
16
powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| /** | ||
| * @name Use of Invoke-Expression | ||
| * @description Do not use Invoke-Expression | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @security-severity 9.8 | ||
| * @precision high | ||
| * @id powershell/do-not-use-invoke-expression | ||
| * @tags security | ||
| */ | ||
| import powershell | ||
| import semmle.code.powershell.dataflow.DataFlow | ||
|
|
||
| from CmdCall call | ||
| where call.getName() = "Invoke-Expression" | ||
| select call, "Do not use Invoke-Expression. It is a command injection risk." |
33 changes: 33 additions & 0 deletions
33
powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <!DOCTYPE qhelp PUBLIC | ||
| "-//Semmle//qhelp//EN" | ||
| "qhelp.dtd"> | ||
| <qhelp> | ||
| <overview> | ||
| <p> | ||
| <code>Invoke-Expression</code> cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using <code>Invoke-Expression</code> can lead to arbitrary commands being executed</p> | ||
|
|
||
| </overview> | ||
| <recommendation> | ||
|
|
||
| <p>Avoid using <code>Invoke-Expression</code> in your powershell code.</p> | ||
|
|
||
| <p>If you’re running some command and the command path has spaces in it, then you need the command invocation operator <code>&</code></p> | ||
| </recommendation> | ||
|
|
||
| <references> | ||
|
|
||
| <li> | ||
| Powershell: | ||
| <a href="https://devblogs.microsoft.com/powershell/invoke-expression-considered-harmful/">Invoke-Expression considered harmful</a>. | ||
| </li> | ||
| <li> | ||
| PSScriptAnalyzer: | ||
| <a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusinginvokeexpression?view=ps-modules">AvoidUsingInvokeExpression</a> | ||
| </li> | ||
| <li> | ||
| StackOverflow: | ||
| <a href="https://stackoverflow.com/questions/51252465/in-what-scenario-was-invoke-expression-designed-to-be-used/51252636#51252636">In what scenario was Invoke-Expression designed to be used?</a> | ||
| </li> | ||
|
|
||
| </references> | ||
| </qhelp> |
1 change: 1 addition & 0 deletions
1
...t/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| | test.ps1:2:1:2:27 | call to Invoke-Expression | Do not use Invoke-Expression. It is a command injection risk. | |
1 change: 1 addition & 0 deletions
1
...test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| queries/security/cwe-078/DoNotUseInvokeExpression.ql |
2 changes: 2 additions & 0 deletions
2
powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| $command = "Get-Process" | ||
| Invoke-Expression $Command |