added initial psscriptanalyzer rules, docs, tests

Author: chanel-y

powershell/ql/src/experimental/HardcodedComputerName.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The names of computers should never be hard coded as this will expose sensitive information. The ComputerName parameter should never have a hard coded value.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove hardcoded computer names.</p>
+
+</recommendation>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingcomputernamehardcoded?view=ps-modules">AvoidUsingComputerNameHardcoded</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

powershell/ql/src/experimental/HardcodedComputerName.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Hardcoded Computer Name
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id powershell/microsoft/public/command-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import powershell
+
+from Argument a 
+where a.getName() = "computername" and exists(a.getValue())
+select a, "ComputerName argument is hardcoded to" + a.getValue()

powershell/ql/src/experimental/UseOfReservedCmdletChar.qhelp

@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+You cannot use following reserved characters in a function or cmdlet name as these can cause parsing or runtime errors.
+
+Reserved Characters include: #,(){}[]&/\\$^;:\"'<>|?@`*%+=~
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove reserved characters from names.</p>
+
+</recommendation>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/reservedcmdletchar?view=ps-modules">ReservedCmdletChar</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UseOfReservedCmdletChar.ql

@@ -0,0 +1,33 @@
+/**
+ * @name Hardcoded Computer Name
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id powershell/microsoft/public/command-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+ import powershell
+
+class ReservedCharacter extends string {
+    ReservedCharacter() { 
+        this = [
+        "!", "@", "#", "$",
+        "&", "*", "(", ")", 
+        "+", "=", "{", "^", 
+        "}", "[", "]", "|", 
+        ";", ":", "'", "\"", 
+        "<", ">", ",", "?", 
+        "/", "~"]
+    }
+}
+
+from Function f, ReservedCharacter r
+where f.getName().matches("%"+ r + "%")
+select f, "Function name contains a reserved character: " + r

powershell/ql/src/experimental/UsernameOrPasswordParameter.qhelp

@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>To standardize command parameters, credentials should be accepted as objects of type PSCredential. Functions should not make use of username or password parameters.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Change the parameter to type PSCredential.</p>
+
+</recommendation>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingusernameandpasswordparams?view=ps-modules">AvoidUsingUsernameAndPasswordParams</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UsernameOrPasswordParameter.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Hardcoded Computer Name
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id powershell/microsoft/public/command-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+ import powershell
+
+// from Expr e 
+// where e.getLocation().getFile().getBaseName() = "AvoidUsingUsernameAndPasswordParams.ps1"
+// select e, e.getAQlClass()
+
+from Parameter p
+where p.getName().toLowerCase() = ["username", "password"]
+select p, "Do not use username or password parameters."

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.expected

@@ -0,0 +1 @@
+experimental/ConvertToSecureStringAsPlainText.ql

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.qlref

@@ -0,0 +1,4 @@
+$UserInput = Read-Host 'Please enter your secure code'
+$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
+
+$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/test.ps1

@@ -0,0 +1,2 @@
+| test.ps1:3:44:3:65 | hardcoderemotehostname | ComputerName argument is hardcoded tohardcoderemotehostname |
+| test.ps1:13:44:13:64 | hardcodelocalhostname | ComputerName argument is hardcoded tohardcodelocalhostname |