formatting

chanel-y · chanel-y · commit 482fda7541f4 · 2025-07-23T11:22:12.000-07:00
diff --git a/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.qhelp b/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.qhelp
@@ -5,16 +5,16 @@
 <overview>
 <p>The commands<code>Set-SmbClientConfiguration</code> and <code>Set-SmbServerConfiguration</code> are used to set configurations for SMB traffic.
 Insecure configurations such as outdated versions, or turning off encryption, can make connections susceptible to attackers.
+</p>
 </overview>
 
 <recommendation>
-<p>The minimum version of SMB is 3.0, but it is recommended to use the latest version. For SMB server service (inbound connections). For example: <code>Set-SmbServerConfiguration -Smb2DialectMin SMB300</code>
-For SMB client service (outbound connections). For example: <code>Set-SmbClientConfiguration -Smb2DialectMin SMB300</code>
-
+<p>The minimum version of SMB is 3.0, but it is recommended to use the latest version. For example, use: 
+<code>Set-SmbServerConfiguration -Smb2DialectMin SMB300</code> or <code>Set-SmbClientConfiguration -Smb2DialectMin SMB300</code>
+</p>
 <p>
-SMB encryption should be enabled
-For SMB server service (inbound connections). For example: <code> Set-SmbServerConfiguration -encryptdata $true -rejectunencryptedaccess $true </code>
-For SMB client service (outbound connections). For example: <code> Set-SmbClientConfiguration -RequireEncryption $true </code>
+SMB encryption should be enabled. For example, use: 
+<code> Set-SmbServerConfiguration -encryptdata $true -rejectunencryptedaccess $true </code> or <code> Set-SmbClientConfiguration -RequireEncryption $true </code>
 </p>
 
 <p>
diff --git a/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.ql b/powershell/ql/src/queries/security/cwe-319/UnsafeSMBSettings.ql
@@ -10,79 +10,79 @@
  *       security
  *       external/cwe/cwe-315
  */
- import powershell
+
+import powershell
 
 abstract class SMBConfiguration extends CmdCall {
-  abstract Expr getAMisconfiguredSetting(); 
+  abstract Expr getAMisconfiguredSetting();
 
   /** Gets the minimum version of the SMB protocol to be used */
   Expr getMisconfiguredSmb2DialectMin() {
-    exists(Expr dialectMin | 
-      dialectMin = this.getNamedArgument("smb2dialectmin") and 
-      dialectMin.getValue().toString().toLowerCase() in ["none", "smb202", "smb210"] and 
+    exists(Expr dialectMin |
+      dialectMin = this.getNamedArgument("smb2dialectmin") and
+      dialectMin.getValue().toString().toLowerCase() in ["none", "smb202", "smb210"] and
       result = dialectMin
     )
   }
-} 
+}
 
 /** A call to `Set-SmbServerConfiguration`. */
 class SetSMBClientConfiguration extends SMBConfiguration {
   SetSMBClientConfiguration() { this.getAName() = "Set-SmbClientConfiguration" }
-  
+
   /** holds if the argument `requireencryption` is supplied with a `$false` value. */
   Expr getMisconfiguredRequireEncryption() {
-    exists(Expr requireEncryption | 
-      requireEncryption = this.getNamedArgument("requireencryption") and 
-      requireEncryption.getValue().asBoolean() = false and 
+    exists(Expr requireEncryption |
+      requireEncryption = this.getNamedArgument("requireencryption") and
+      requireEncryption.getValue().asBoolean() = false and
       result = requireEncryption
     )
   }
 
   /** Holds if the argument `blockntlm` is supplied with a `$false` value. */
-  Expr getMisconfiguredBlocksNTLM() { 
-    exists(Expr blocksNTLM | 
-      blocksNTLM = this.getNamedArgument("blockntlm") and 
+  Expr getMisconfiguredBlocksNTLM() {
+    exists(Expr blocksNTLM |
+      blocksNTLM = this.getNamedArgument("blockntlm") and
       blocksNTLM.getValue().asBoolean() = false and
       result = blocksNTLM
     )
   }
 
-  override Expr getAMisconfiguredSetting(){
-    result = this.getMisconfiguredRequireEncryption() or 
-    result = this.getMisconfiguredBlocksNTLM() or 
+  override Expr getAMisconfiguredSetting() {
+    result = this.getMisconfiguredRequireEncryption() or
+    result = this.getMisconfiguredBlocksNTLM() or
     result = this.getMisconfiguredSmb2DialectMin()
   }
 }
 
 /** A call to `Set-SmbServerConfiguration`. */
 class SetSMBServerConfiguration extends SMBConfiguration {
-  SetSMBServerConfiguration() { 
-    this.getAName() = "Set-SmbServerConfiguration" 
-  } 
+  SetSMBServerConfiguration() { this.getAName() = "Set-SmbServerConfiguration" }
+
   /** holds if the argument `encryptdata` is supplied with a `$false` value. */
   Expr getMisconfiguredEncryptData() {
     exists(Expr encryptData |
-      encryptData = this.getNamedArgument("encryptdata") and 
+      encryptData = this.getNamedArgument("encryptdata") and
       encryptData.getValue().asBoolean() = false and
       result = encryptData
-    )    
+    )
   }
+
   /** holds if the argument `encryptdata` is supplied with a `$false` value. */
-  Expr getMisconfiguredRejectUnencryptedAccess(){
-    exists(Expr rejectUnencryptedAccess | 
-      rejectUnencryptedAccess = this.getNamedArgument("rejectunencryptedaccess") and 
-      rejectUnencryptedAccess.getValue().asBoolean() = false and 
-      result = rejectUnencryptedAccess  
+  Expr getMisconfiguredRejectUnencryptedAccess() {
+    exists(Expr rejectUnencryptedAccess |
+      rejectUnencryptedAccess = this.getNamedArgument("rejectunencryptedaccess") and
+      rejectUnencryptedAccess.getValue().asBoolean() = false and
+      result = rejectUnencryptedAccess
     )
   }
-  
-  override Expr getAMisconfiguredSetting(){
-    result = this.getMisconfiguredEncryptData() or 
-    result = this.getMisconfiguredRejectUnencryptedAccess() or 
+
+  override Expr getAMisconfiguredSetting() {
+    result = this.getMisconfiguredEncryptData() or
+    result = this.getMisconfiguredRejectUnencryptedAccess() or
     result = this.getMisconfiguredSmb2DialectMin()
   }
-
 }
 
 from SMBConfiguration config
-select config.getAMisconfiguredSetting(), "Unsafe SMB setting"
+select config.getAMisconfiguredSetting(), "Unsafe SMB setting"
