Skip to content

Commit 2731983

Browse files
MathiasVPMathiasVP
committed
PS: Add query for insecure uses of 'Set-ExecutionPolicy'.
1 parent 849e0b4 commit 2731983

File tree

1 file changed

+60
-0
lines changed

1 file changed

+60
-0
lines changed

powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.ql

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
/**
2+
* @name Insecure execution policy
3+
* @description Calling `Set-ExecutionPolicy` with an insecure execution policy argument may allow
4+
* attackers to execute malicious scripts or load malicious configurations.
5+
* @kind problem
6+
* @problem.severity error
7+
* @security-severity 8.8
8+
* @precision high
9+
* @id powershell/microsoft/public/insecure-execution-policy
10+
* @tags correctness
11+
* security
12+
* external/cwe/cwe-250
13+
*/
14+
15+
import powershell
16+
17+
/** A call to `Set-ExecutionPolicy`. */
18+
class SetExecutionPolicy extends CmdCall {
19+
SetExecutionPolicy() { this.getAName() = "Set-ExecutionPolicy" }
20+
21+
/** Gets the execution policy of this call to `Set-ExecutionPolicy`. */
22+
Expr getExecutionPolicy() {
23+
result = this.getNamedArgument("executionpolicy")
24+
or
25+
not this.hasNamedArgument("executionpolicy") and
26+
result = this.getPositionalArgument(0)
27+
}
28+
29+
/** Gets the scope of this call to `Set-ExecutionPolicy`, if any. */
30+
Expr getScope() {
31+
result = this.getNamedArgument("scope")
32+
or
33+
not this.hasNamedArgument("scope") and
34+
(
35+
// The ExecutionPolicy argument has position 0 so if is present as a
36+
// named argument then the position of the Scope argument is 0. However,
37+
// if the ExecutionPolicy is present as a positional argument then the
38+
// Scope argument is at position 1.
39+
if this.hasNamedArgument("executionpolicy")
40+
then result = this.getPositionalArgument(0)
41+
else result = this.getPositionalArgument(1)
42+
)
43+
}
44+
}
45+
46+
class Process extends Expr {
47+
Process() { this.getValue().stringMatches("process") }
48+
}
49+
50+
class Bypass extends Expr {
51+
Bypass() { this.getValue().stringMatches("Bypass") }
52+
}
53+
54+
class BypassSetExecutionPolicy extends SetExecutionPolicy {
55+
BypassSetExecutionPolicy() { this.getExecutionPolicy() instanceof Bypass }
56+
}
57+
58+
from BypassSetExecutionPolicy setExecutionPolicy
59+
where not setExecutionPolicy.getScope() instanceof Process
60+
select setExecutionPolicy, "Insecure use of 'Set-ExecutionPolicy'."

0 commit comments

Comments
 (0)