Merge pull request #154 from microsoft/invoke-expression-ps-query

chanel-y · web-flow · commit 0bb0031802d6 · 2025-01-09T15:43:37.000-08:00
invoke expression powershell query
diff --git a/powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql b/powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Use of Invoke-Expression
+ * @description Do not use Invoke-Expression
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id powershell/do-not-use-invoke-expression
+ * @tags security
+ */
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+
+from CmdCall call 
+where call.getName() = "Invoke-Expression"
+select call, "Do not use Invoke-Expression. It is a command injection risk."
diff --git a/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp b/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp
@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+<code>Invoke-Expression</code> cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using <code>Invoke-Expression</code> can lead to arbitrary commands being executed</p>
+
+</overview>
+<recommendation>
+
+<p>Avoid using <code>Invoke-Expression</code> in your powershell code.</p>
+
+<p>If you’re running some command and the command path has spaces in it, then you need the command invocation operator <code>&</code></p>
+</recommendation>
+
+<references>
+
+<li>
+Powershell:
+<a href="https://devblogs.microsoft.com/powershell/invoke-expression-considered-harmful/">Invoke-Expression considered harmful</a>.
+</li>
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusinginvokeexpression?view=ps-modules">AvoidUsingInvokeExpression</a>
+</li>
+<li>
+StackOverflow:
+<a href="https://stackoverflow.com/questions/51252465/in-what-scenario-was-invoke-expression-designed-to-be-used/51252636#51252636">In what scenario was Invoke-Expression designed to be used?</a>
+</li>
+
+</references>
+</qhelp>
diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected
@@ -0,0 +1 @@
+| test.ps1:2:1:2:27 | call to Invoke-Expression | Do not use Invoke-Expression. It is a command injection risk. |
diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref
@@ -0,0 +1 @@
+queries/security/cwe-078/DoNotUseInvokeExpression.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1
@@ -0,0 +1,2 @@
+$command = "Get-Process"
+Invoke-Expression $Command

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| test.ps1:2:1:2:27 \| call to Invoke-Expression \| Do not use Invoke-Expression. It is a command injection risk. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-078/DoNotUseInvokeExpression.ql`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+$command = "Get-Process"`
	`2`	`+Invoke-Expression $Command`