PS: Also require '-Force' with a truthy value. Note the 'NOT DETECTED' test. We will fix that in the next commit.

MathiasVP · MathiasVP · commit 28de6ede0469 · 2025-07-07T19:14:01.000+01:00
diff --git a/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.ql b/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.ql
@@ -41,6 +41,9 @@ class SetExecutionPolicy extends CmdCall {
       else result = this.getPositionalArgument(1)
     )
   }
+
+  /** Holds if the argument `flag` is supplied with a `$true` value. */
+  predicate isForced() { this.getNamedArgument("force").getValue().asBoolean() = true }
 }
 
 class Process extends Expr {
@@ -56,5 +59,7 @@ class BypassSetExecutionPolicy extends SetExecutionPolicy {
 }
 
 from BypassSetExecutionPolicy setExecutionPolicy
-where not setExecutionPolicy.getScope() instanceof Process
+where
+  not setExecutionPolicy.getScope() instanceof Process and
+  setExecutionPolicy.isForced()
 select setExecutionPolicy, "Insecure use of 'Set-ExecutionPolicy'."
diff --git a/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.expected b/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.expected
@@ -1,2 +1,2 @@
-| test.ps1:1:1:1:26 | Call to set-executionpolicy | Insecure use of 'Set-ExecutionPolicy'. |
-| test.ps1:5:1:5:47 | Call to set-executionpolicy | Insecure use of 'Set-ExecutionPolicy'. |
+| test.ps1:1:1:1:33 | Call to set-executionpolicy | Insecure use of 'Set-ExecutionPolicy'. |
+| test.ps1:5:1:5:54 | Call to set-executionpolicy | Insecure use of 'Set-ExecutionPolicy'. |
diff --git a/powershell/ql/test/query-tests/security/cwe-250/test.ps1 b/powershell/ql/test/query-tests/security/cwe-250/test.ps1
@@ -1,5 +1,14 @@
-Set-ExecutionPolicy Bypass # BAD
+Set-ExecutionPolicy Bypass -Force # BAD
+Set-ExecutionPolicy RemoteSigned -Force # GOOD
+Set-ExecutionPolicy Bypass -Scope Process -Force # GOOD
+Set-ExecutionPolicy RemoteSigned -Scope Process -Force # GOOD
+Set-ExecutionPolicy Bypass -Scope MachinePolicy -Force # BAD
+
+Set-ExecutionPolicy Bypass -Force:$true # BAD [NOT DETECTED]
+Set-ExecutionPolicy Bypass -Force:$false # GOOD
+
+Set-ExecutionPolicy Bypass # GOOD
 Set-ExecutionPolicy RemoteSigned # GOOD
 Set-ExecutionPolicy Bypass -Scope Process # GOOD
 Set-ExecutionPolicy RemoteSigned -Scope Process # GOOD
-Set-ExecutionPolicy Bypass -Scope MachinePolicy # BAD
+Set-ExecutionPolicy Bypass -Scope MachinePolicy # GOOD

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,9 @@ class SetExecutionPolicy extends CmdCall {`
`41`	`41`	`else result = this.getPositionalArgument(1)`
`42`	`42`	`)`
`43`	`43`	`}`
	`44`	`+`
	`45`	+ /** Holds if the argument `flag` is supplied with a `$true` value. */
	`46`	`+ predicate isForced() { this.getNamedArgument("force").getValue().asBoolean() = true }`
`44`	`47`	`}`
`45`	`48`
`46`	`49`	`class Process extends Expr {`
`@@ -56,5 +59,7 @@ class BypassSetExecutionPolicy extends SetExecutionPolicy {`
`56`	`59`	`}`
`57`	`60`
`58`	`61`	`from BypassSetExecutionPolicy setExecutionPolicy`
`59`		`-where not setExecutionPolicy.getScope() instanceof Process`
	`62`	`+where`
	`63`	`+ not setExecutionPolicy.getScope() instanceof Process and`
	`64`	`+ setExecutionPolicy.isForced()`
`60`	`65`	`select setExecutionPolicy, "Insecure use of 'Set-ExecutionPolicy'."`