Skip to content

Commit 75d37dc

Browse files
MathiasVPMathiasVP
committed
PS: Add false positive.
1 parent f39d08e commit 75d37dc

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ edges
5353
| test.ps1:170:36:170:41 | input | test.ps1:129:11:129:20 | userinput | provenance | |
5454
| test.ps1:172:42:172:47 | input | test.ps1:136:11:136:20 | userinput | provenance | |
5555
| test.ps1:173:42:173:47 | input | test.ps1:144:11:144:20 | userinput | provenance | |
56+
| test.ps1:214:10:214:32 | Call to read-host | test.ps1:215:16:215:19 | $o | provenance | Src:MaD:0 |
5657
nodes
5758
| test.ps1:3:11:3:20 | userinput | semmle.label | userinput |
5859
| test.ps1:4:23:4:52 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
@@ -109,6 +110,8 @@ nodes
109110
| test.ps1:170:36:170:41 | input | semmle.label | input |
110111
| test.ps1:172:42:172:47 | input | semmle.label | input |
111112
| test.ps1:173:42:173:47 | input | semmle.label | input |
113+
| test.ps1:214:10:214:32 | Call to read-host | semmle.label | Call to read-host |
114+
| test.ps1:215:16:215:19 | $o | semmle.label | $o |
112115
subpaths
113116
#select
114117
| test.ps1:4:23:4:52 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
@@ -129,3 +132,4 @@ subpaths
129132
| test.ps1:131:28:131:37 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:131:28:131:37 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
130133
| test.ps1:139:50:139:59 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:139:50:139:59 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
131134
| test.ps1:147:63:147:72 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:147:63:147:72 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
135+
| test.ps1:215:16:215:19 | $o | test.ps1:214:10:214:32 | Call to read-host | test.ps1:215:16:215:19 | $o | This command depends on a $@. | test.ps1:214:10:214:32 | Call to read-host | user-provided value |

powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -207,4 +207,10 @@ function Invoke-InvokeExpressionInjectionSafe4
207207
Invoke-InvokeExpressionInjectionSafe1 -UserInput $input
208208
Invoke-InvokeExpressionInjectionSafe2 -UserInput $input
209209
Invoke-InvokeExpressionInjectionSafe3 -UserInput $input
210-
Invoke-InvokeExpressionInjectionSafe4 -UserInput $input
210+
Invoke-InvokeExpressionInjectionSafe4 -UserInput $input
211+
212+
function false-positive-in-call-operator($d)
213+
{
214+
$o = Read-Host "enter input"
215+
& unzip -o "$o" -d $d # GOOD [FALSE POSITIVE]
216+
}

0 commit comments

Comments
 (0)