Merge branch 'main' of https://github.com/microsoft/codeql into auto/sync-main-pr

Author: dilanbhalla

powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.qhelp

@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The use of the AsPlainText parameter with the ConvertTo-SecureString command can expose secure information.</p>
+
+</overview>
+<recommendation>
+<p>
+If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the <a href="https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretStore">SecretStore</a> module from the PowerShell Gallery.
+</p>
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingconverttosecurestringwithplaintext?view=ps-modules">AvoidUsingConvertToSecureStringWithPlainText</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Use of the AsPlainText parameter in ConvertTo-SecureString
+ * @description Do not use the AsPlainText parameter in ConvertTo-SecureString
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/convert-to-securestring-as-plaintext
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+ from CmdCall c 
+ where 
+ c.getName() = "ConvertTo-SecureString" and
+ c.hasNamedArgument("asplaintext")
+ select c, "Use of AsPlainText parameter in ConvertTo-SecureString call"

powershell/ql/src/experimental/HardcodedComputerName.qhelp

@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The names of computers should never be hard coded as this will expose sensitive information. The <code>ComputerName</code> parameter should never have a hard coded value.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove hardcoded computer names.</p>
+
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingcomputernamehardcoded?view=ps-modules">AvoidUsingComputerNameHardcoded</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

powershell/ql/src/experimental/HardcodedComputerName.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Hardcoded Computer Name
+ * @description Do not hardcode computer names
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/hardcoded-computer-name
+ * @tags correctness
+ *       security
+ */
+
+import powershell
+
+from Argument a 
+where a.getName() = "computername" and exists(a.getValue())
+select a, "ComputerName argument is hardcoded to" + a.getValue()

powershell/ql/src/experimental/UseOfReservedCmdletChar.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+You cannot use following reserved characters in a function or cmdlet name as these can cause parsing or runtime errors.
+
+Reserved Characters include: #,(){}[]&/\\$^;:\"'<>|?@`*%+=~
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove reserved characters from names.</p>
+
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/reservedcmdletchar?view=ps-modules">ReservedCmdletChar</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UseOfReservedCmdletChar.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Reserved Characters in Function Name
+ * @description Do not use reserved characters in function names
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/reserved-characters-in-function-name
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+class ReservedCharacter extends string {
+    ReservedCharacter() { 
+        this = [
+        "!", "@", "#", "$",
+        "&", "*", "(", ")", 
+        "+", "=", "{", "^", 
+        "}", "[", "]", "|", 
+        ";", ":", "'", "\"", 
+        "<", ">", ",", "?", 
+        "/", "~"]
+    }
+}
+
+from Function f, ReservedCharacter r
+where f.getName().matches("%"+ r + "%")
+select f, "Function name contains a reserved character: " + r

powershell/ql/src/experimental/UsernameOrPasswordParameter.qhelp

@@ -0,0 +1,24 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>To standardize command parameters, credentials should be accepted as objects of type <code>PSCredential</code>. Functions should not make use of username or password parameters.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Change the parameter to type <code>PSCredential</code>.</p>
+
+</recommendation>
+<references>
+
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingusernameandpasswordparams?view=ps-modules">AvoidUsingUsernameAndPasswordParams</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UsernameOrPasswordParameter.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Use of Username or Password parameter
+ * @description Do not use username or password parameters
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/username-or-password-parameter
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+from Parameter p
+where p.getName().toLowerCase() = ["username", "password"]
+select p, "Do not use username or password parameters."

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.expected

@@ -0,0 +1 @@
+| test.ps1:2:19:2:79 | Call to ConvertTo-SecureString | Use of AsPlainText parameter in ConvertTo-SecureString call |

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.qlref

@@ -0,0 +1 @@
+experimental/ConvertToSecureStringAsPlainText.ql