Merge branch 'main' into jb1/upstream-zipslip

ropwareJB · web-flow · commit 87e0b08531a4 · 2025-07-10T09:35:03.000-07:00
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/ChildIndex.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/ChildIndex.qll
@@ -14,6 +14,7 @@ newtype ChildIndex =
   CatchClauseBody() or
   CatchClauseType(int i) { exists(any(CatchClause c).getCatchType(i)) } or
   CmdElement_(int i) { exists(any(Cmd cmd).getElement(i)) } or // TODO: Get rid of this?
+  CmdParameterExpr() or
   CmdCallee() or
   CmdRedirection(int i) { exists(any(Cmd cmd).getRedirection(i)) } or
   CmdExprExpr() or
@@ -127,6 +128,8 @@ string stringOfChildIndex(ChildIndex i) {
   or
   i = CmdElement_(_) and result = "CmdElement"
   or
+  i = CmdParameterExpr() and result = "CmdParameterExpr"
+  or
   i = CmdCallee() and result = "CmdCallee"
   or
   i = CmdRedirection(_) and result = "CmdRedirection"
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/CommandParameter.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/CommandParameter.qll
@@ -5,8 +5,11 @@ class CmdParameter extends @command_parameter, CmdElement {
 
   string getName() { command_parameter(this, result) }
 
-  Ast getExpr() {
-    command_parameter_argument(this, result)
+  Ast getExpr() { command_parameter_argument(this, result) }
+
+  final override Ast getChild(ChildIndex i) {
+    i instanceof CmdParameterExpr and
+    result = this.getExpr()
   }
 
   Cmd getCmd() { result.getElement(_) = this }
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPublic.qll
@@ -15,6 +15,8 @@ predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintSte
  * local (intra-procedural) steps.
  */
 pragma[inline]
-predicate localExprTaint(CfgNodes::ExprCfgNode e1, CfgNodes::ExprCfgNode e2) { none() }
+predicate localExprTaint(CfgNodes::ExprCfgNode e1, CfgNodes::ExprCfgNode e2) {
+  localTaintStep*(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
 
 predicate localTaintStep = localTaintStepCached/2;
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/Microsoft.PowerShell.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/Microsoft.PowerShell.model.yml
@@ -6,6 +6,12 @@ extensions:
       - ["microsoft.powershell.utility!", "Method[read-host].ReturnValue", "stdin"]
       - ["microsoft.powershell.utility!", "Method[select-xml].ReturnValue[path]", "file"]
       - ["microsoft.powershell.utility!", "Method[format-hex].ReturnValue[path]", "file"]
+      - ["microsoft.powershell.utility!", "Method[invoke-webrequest].ReturnValue", "remote"]
+      - ["microsoft.powershell.utility!", "Method[iwr].ReturnValue", "remote"]
+      - ["microsoft.powershell.utility!", "Method[wget].ReturnValue", "remote"]
+      - ["microsoft.powershell.utility!", "Method[curl].ReturnValue", "remote"]
+      - ["microsoft.powershell.utility!", "Method[invoke-restmethod].ReturnValue", "remote"]
+      - ["microsoft.powershell.utility!", "Method[irm].ReturnValue", "remote"]
 
   - addsTo:
       pack: microsoft/powershell-all
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/Microsoft.Win32.RegistryKey.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/Microsoft.Win32.RegistryKey.model.yml
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/System.Management.Automation.Language.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/System.Management.Automation.Language.model.yml
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/System.Management.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/System.Management.model.yml
@@ -1,4 +1,10 @@
 extensions:
+  - addsTo:
+      pack: microsoft/powershell-all
+      extensible: summaryModel
+    data:
+    - ["system.management.automation.language.codegeneration!", "Method[escapesinglequotedstringcontent]", "Argument[0]", "ReturnValue", "taint"]
+
   - addsTo:
       pack: microsoft/powershell-all
       extensible: sinkModel
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/System.Net.Sockets.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/System.Net.Sockets.model.yml
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/System.Net.model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/System.Net.model.yml
@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: microsoft/powershell-all
+      extensible: sourceModel
+    data:
+      - ["system.net.sockets.tcpclient", "Method[getstream].ReturnValue", "remote"]
+      - ["system.net.sockets.udpclient", "Method[endreceive].ReturnValue", "remote"]
+      - ["system.net.sockets.udpclient", "Method[receive].ReturnValue", "remote"]
+      - ["system.net.sockets.udpclient", "Method[receiveasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloaddata].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloaddataasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloaddatataskasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadfile].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadfileasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadfiletaskasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadstring].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadstringasync].ReturnValue", "remote"]
+      - ["system.net.webclient", "Method[downloadstringtaskasync].ReturnValue", "remote"]
diff --git a/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
@@ -142,8 +142,10 @@ module CommandInjection {
   class InvokeSink extends Sink {
     InvokeSink() {
       exists(InvokeMemberExpr ie |
-        this.asExpr().getExpr() = ie.getCallee() or
-        this.asExpr().getExpr() = ie.getQualifier().getAChild*()
+        this.asExpr().getExpr() = ie.getCallee()
+        or
+        ie.getAName() = "Invoke" and
+        ie.getQualifier().(MemberExprReadAccess).getMemberExpr() = this.asExpr().getExpr()
       )
     }
 
diff --git a/powershell/ql/src/queries/security/cwe-078/CommandInjection.qhelp b/powershell/ql/src/queries/security/cwe-078/CommandInjection.qhelp
@@ -58,5 +58,6 @@ Injection Hunter:
 <!--  LocalWords:  CWE untrusted unsanitized Runtime
  -->
 
+
 </references>
 </qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.qhelp b/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The command <code>Set-ExecutionPolicy</code> is used to set the execution policies for Windows computers.
+The execution policy is used to determine which configuration files can be loaded and which scripts can be run.
+Setting the execution policy to <code>Bypass</code> disables all warnings and signature checks for script execution,
+allowing any script—including malicious or unsigned code—to run without restriction.</p>
+</overview>
+
+<recommendation>
+<p>Always prefer <code>AllSigned</code> to enforce full signature verification.</p>
+<p>If this is not possible, set the execution policy to <code>RemoteSigned</code> to allow local scripts while requiring downloaded scripts to be signed.</p>
+<p>Always limit the scope of the execution policy by supplying the most restrictive <code>Scope</code> as possible. Use <code>Process</code> to limit the execution policy to the current PowerShell session. When no <code>Scope</code> is supplied the execution policy change is applied system-wide.
+</recommendation>
+
+<example>
+<p>In the following example, <code>Set-ExecutionPolicy</code> is called twice</p>
+
+<p>The first call sets the execution policy to <code>Bypass</code> which allows any script to be run.</p>
+
+<p>The second call sets the execution policy to <code>RemoteSigned</code> which allows local scripts to be run,
+but requires scripts and configurations downloaded from the Internet to be signed.</p>
+
+<sample src="examples/InsecureExecutionPolicy.ps1" />
+</example>
+
+<references>
+<li>MSDN: <a href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy">Set-ExecutionPolicy</a>.</li>
+</references>
+</qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.ql b/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.ql
@@ -0,0 +1,65 @@
+/**
+ * @name Insecure execution policy
+ * @description Calling `Set-ExecutionPolicy` with an insecure execution policy argument may allow
+ *              attackers to execute malicious scripts or load malicious configurations.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id powershell/microsoft/public/insecure-execution-policy
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-250
+ */
+
+import powershell
+
+/** A call to `Set-ExecutionPolicy`. */
+class SetExecutionPolicy extends CmdCall {
+  SetExecutionPolicy() { this.getAName() = "Set-ExecutionPolicy" }
+
+  /** Gets the execution policy of this call to `Set-ExecutionPolicy`. */
+  Expr getExecutionPolicy() {
+    result = this.getNamedArgument("executionpolicy")
+    or
+    not this.hasNamedArgument("executionpolicy") and
+    result = this.getPositionalArgument(0)
+  }
+
+  /** Gets the scope of this call to `Set-ExecutionPolicy`, if any. */
+  Expr getScope() {
+    result = this.getNamedArgument("scope")
+    or
+    not this.hasNamedArgument("scope") and
+    (
+      // The ExecutionPolicy argument has position 0 so if is present as a
+      // named argument then the position of the Scope argument is 0. However,
+      // if the ExecutionPolicy is present as a positional argument then the
+      // Scope argument is at position 1.
+      if this.hasNamedArgument("executionpolicy")
+      then result = this.getPositionalArgument(0)
+      else result = this.getPositionalArgument(1)
+    )
+  }
+
+  /** Holds if the argument `flag` is supplied with a `$true` value. */
+  predicate isForced() { this.getNamedArgument("force").getValue().asBoolean() = true }
+}
+
+class Process extends Expr {
+  Process() { this.getValue().stringMatches("process") }
+}
+
+class Bypass extends Expr {
+  Bypass() { this.getValue().stringMatches("Bypass") }
+}
+
+class BypassSetExecutionPolicy extends SetExecutionPolicy {
+  BypassSetExecutionPolicy() { this.getExecutionPolicy() instanceof Bypass }
+}
+
+from BypassSetExecutionPolicy setExecutionPolicy
+where
+  not setExecutionPolicy.getScope() instanceof Process and
+  setExecutionPolicy.isForced()
+select setExecutionPolicy, "Insecure use of 'Set-ExecutionPolicy'."
diff --git a/powershell/ql/src/queries/security/cwe-250/examples/InsecureExecutionPolicy.ps1 b/powershell/ql/src/queries/security/cwe-250/examples/InsecureExecutionPolicy.ps1
@@ -0,0 +1,9 @@
+Invoke-WebRequest -Uri "https://example.com/script.ps1" -OutFile "C:\Path\To\script.ps1"
+
+# BAD: No warnings or prompts when running potentially unsafe scripts
+Set-ExecutionPolicy Bypass
+& "C:\Path\To\script.ps1" # Will never be blocked
+
+# GOOD: Requires that scripts and configuration files downloaded from the Internet are signed
+Set-ExecutionPolicy RemoteSigned
+& "C:\Path\To\script.ps1" # Will not run unless script.ps1 is signed
diff --git a/powershell/ql/test/library-tests/frameworks/microsoft_powershell/test.ps1 b/powershell/ql/test/library-tests/frameworks/microsoft_powershell/test.ps1
@@ -5,4 +5,7 @@ $xmlQuery = "/Users/User"
 $path = "C:/Users/MyData.xml"
 $xmldata = Select-Xml -Path $path -XPath $xmlQuery # $ type="file stream"
 
-$hexdata = Format-Hex -Path $path -Count 48 # $ type="file stream"
+$hexdata = Format-Hex -Path $path -Count 48 # $ type="file stream"
+
+$remote_data1 = Iwr https://example.com/install.ps1 # $ type="remote flow source"
+$remote_data2 = Invoke-RestMethod -Uri https://blogs.msdn.microsoft.com/powershell/feed/ # $ type="remote flow source"
diff --git a/powershell/ql/test/library-tests/frameworks/system_net_sockets/test.expected b/powershell/ql/test/library-tests/frameworks/system_net_sockets/test.expected
@@ -1 +1 @@
-| test.ps1:1:1:18:0 | [synth] pipeline | Unexpected result: type="command line argument" |
+| test.ps1:1:1:20:93 | [synth] pipeline | Unexpected result: type="command line argument" |
diff --git a/powershell/ql/test/library-tests/frameworks/system_net_sockets/test.ps1 b/powershell/ql/test/library-tests/frameworks/system_net_sockets/test.ps1
@@ -15,3 +15,6 @@ $remoteEndpoint2 = $null
 $data2 = $udpClient.Receive([ref]$remoteEndpoint2) # $ type="remote flow source"
 
 $receiveTask = $udpClient.ReceiveAsync() # $ type="remote flow source"
+
+$webclient = [System.Net.WebClient]::new()
+$data = $webclient.DownloadData("https://example.com/data.txt") # $ type="remote flow source"
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
@@ -3,9 +3,7 @@ edges
 | test.ps1:9:11:9:20 | userinput | test.ps1:10:9:10:38 | Get-Process -Name $UserInput | provenance |  |
 | test.ps1:15:11:15:20 | userinput | test.ps1:16:50:16:79 | Get-Process -Name $UserInput | provenance |  |
 | test.ps1:21:11:21:20 | userinput | test.ps1:22:41:22:70 | Get-Process -Name $UserInput | provenance |  |
-| test.ps1:21:11:21:20 | userinput | test.ps1:22:60:22:69 | UserInput | provenance |  |
 | test.ps1:27:11:27:20 | userinput | test.ps1:28:38:28:67 | Get-Process -Name $UserInput | provenance |  |
-| test.ps1:27:11:27:20 | userinput | test.ps1:28:57:28:66 | UserInput | provenance |  |
 | test.ps1:33:11:33:20 | userinput | test.ps1:34:14:34:46 | public class Foo { $UserInput } | provenance |  |
 | test.ps1:39:11:39:20 | userinput | test.ps1:40:30:40:62 | public class Foo { $UserInput } | provenance |  |
 | test.ps1:45:11:45:20 | userinput | test.ps1:48:30:48:34 | code | provenance |  |
@@ -16,7 +14,7 @@ edges
 | test.ps1:104:11:104:20 | userinput | test.ps1:108:58:108:87 | Get-Process -Name $UserInput | provenance |  |
 | test.ps1:114:11:114:20 | userinput | test.ps1:116:34:116:43 | UserInput | provenance |  |
 | test.ps1:121:11:121:20 | userinput | test.ps1:123:28:123:37 | UserInput | provenance |  |
-| test.ps1:128:11:128:20 | userinput | test.ps1:130:28:130:37 | UserInput | provenance |  |
+| test.ps1:129:11:129:20 | userinput | test.ps1:131:28:131:37 | UserInput | provenance |  |
 | test.ps1:136:11:136:20 | userinput | test.ps1:139:50:139:59 | UserInput | provenance |  |
 | test.ps1:144:11:144:20 | userinput | test.ps1:147:63:147:72 | UserInput | provenance |  |
 | test.ps1:152:10:152:32 | Call to read-host | test.ps1:154:46:154:51 | input | provenance | Src:MaD:0  |
@@ -52,7 +50,7 @@ edges
 | test.ps1:167:41:167:46 | input | test.ps1:104:11:104:20 | userinput | provenance |  |
 | test.ps1:168:36:168:41 | input | test.ps1:114:11:114:20 | userinput | provenance |  |
 | test.ps1:169:36:169:41 | input | test.ps1:121:11:121:20 | userinput | provenance |  |
-| test.ps1:170:36:170:41 | input | test.ps1:128:11:128:20 | userinput | provenance |  |
+| test.ps1:170:36:170:41 | input | test.ps1:129:11:129:20 | userinput | provenance |  |
 | test.ps1:172:42:172:47 | input | test.ps1:136:11:136:20 | userinput | provenance |  |
 | test.ps1:173:42:173:47 | input | test.ps1:144:11:144:20 | userinput | provenance |  |
 nodes
@@ -64,10 +62,8 @@ nodes
 | test.ps1:16:50:16:79 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
 | test.ps1:21:11:21:20 | userinput | semmle.label | userinput |
 | test.ps1:22:41:22:70 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
-| test.ps1:22:60:22:69 | UserInput | semmle.label | UserInput |
 | test.ps1:27:11:27:20 | userinput | semmle.label | userinput |
 | test.ps1:28:38:28:67 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
-| test.ps1:28:57:28:66 | UserInput | semmle.label | UserInput |
 | test.ps1:33:11:33:20 | userinput | semmle.label | userinput |
 | test.ps1:34:14:34:46 | public class Foo { $UserInput } | semmle.label | public class Foo { $UserInput } |
 | test.ps1:39:11:39:20 | userinput | semmle.label | userinput |
@@ -88,8 +84,8 @@ nodes
 | test.ps1:116:34:116:43 | UserInput | semmle.label | UserInput |
 | test.ps1:121:11:121:20 | userinput | semmle.label | userinput |
 | test.ps1:123:28:123:37 | UserInput | semmle.label | UserInput |
-| test.ps1:128:11:128:20 | userinput | semmle.label | userinput |
-| test.ps1:130:28:130:37 | UserInput | semmle.label | UserInput |
+| test.ps1:129:11:129:20 | userinput | semmle.label | userinput |
+| test.ps1:131:28:131:37 | UserInput | semmle.label | UserInput |
 | test.ps1:136:11:136:20 | userinput | semmle.label | userinput |
 | test.ps1:139:50:139:59 | UserInput | semmle.label | UserInput |
 | test.ps1:144:11:144:20 | userinput | semmle.label | userinput |
@@ -119,9 +115,7 @@ subpaths
 | test.ps1:10:9:10:38 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:10:9:10:38 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:16:50:16:79 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:16:50:16:79 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:22:41:22:70 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:22:41:22:70 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
-| test.ps1:22:60:22:69 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:22:60:22:69 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:28:38:28:67 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:28:38:28:67 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
-| test.ps1:28:57:28:66 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:28:57:28:66 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:34:14:34:46 | public class Foo { $UserInput } | test.ps1:152:10:152:32 | Call to read-host | test.ps1:34:14:34:46 | public class Foo { $UserInput } | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:40:30:40:62 | public class Foo { $UserInput } | test.ps1:152:10:152:32 | Call to read-host | test.ps1:40:30:40:62 | public class Foo { $UserInput } | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:48:30:48:34 | code | test.ps1:152:10:152:32 | Call to read-host | test.ps1:48:30:48:34 | code | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
@@ -132,6 +126,6 @@ subpaths
 | test.ps1:108:58:108:87 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:108:58:108:87 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:116:34:116:43 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:116:34:116:43 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:123:28:123:37 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:123:28:123:37 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
-| test.ps1:130:28:130:37 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:130:28:130:37 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
+| test.ps1:131:28:131:37 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:131:28:131:37 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:139:50:139:59 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:139:50:139:59 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:147:63:147:72 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:147:63:147:72 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
diff --git a/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.expected b/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.expected
diff --git a/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.qlref b/powershell/ql/test/query-tests/security/cwe-250/InsecureExecutionPolicy.qlref
diff --git a/powershell/ql/test/query-tests/security/cwe-250/test.ps1 b/powershell/ql/test/query-tests/security/cwe-250/test.ps1

Original file line number	Diff line number	Diff line change
`@@ -142,8 +142,10 @@ module CommandInjection {`
`142`	`142`	`class InvokeSink extends Sink {`
`143`	`143`	`InvokeSink() {`
`144`	`144`	`exists(InvokeMemberExpr ie \|`
`145`		`- this.asExpr().getExpr() = ie.getCallee() or`
`146`		`- this.asExpr().getExpr() = ie.getQualifier().getAChild*()`
	`145`	`+ this.asExpr().getExpr() = ie.getCallee()`
	`146`	`+ or`
	`147`	`+ ie.getAName() = "Invoke" and`
	`148`	`+ ie.getQualifier().(MemberExprReadAccess).getMemberExpr() = this.asExpr().getExpr()`
`147`	`149`	`)`
`148`	`150`	`}`
`149`	`151`