PS: Model 'inputfile' as a sink for SQL injections.

MathiasVP · MathiasVP · commit c18db919c9f8 · 2025-06-20T14:25:45.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll
@@ -40,7 +40,10 @@ module SqlInjection {
       exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") |
         this = call.getNamedArgument("query")
         or
+        this = call.getNamedArgument("inputfile")
+        or
         not call.hasNamedArgument("query") and
+        not call.hasNamedArgument("inputfile") and
         this = call.getArgument(0)
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,10 @@ module SqlInjection {`
`40`	`40`	`exists(DataFlow::CallNode call \| call.matchesName("Invoke-Sqlcmd") \|`
`41`	`41`	`this = call.getNamedArgument("query")`
`42`	`42`	`or`
	`43`	`+ this = call.getNamedArgument("inputfile")`
	`44`	`+ or`
`43`	`45`	`not call.hasNamedArgument("query") and`
	`46`	`+ not call.hasNamedArgument("inputfile") and`
`44`	`47`	`this = call.getArgument(0)`
`45`	`48`	`)`
`46`	`49`	`}`