PS: Mark the BAD results in the test appropriately.

MathiasVP · MathiasVP · commit eec092c4c4b4 · 2025-07-04T11:13:15.000+01:00
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
@@ -1,51 +1,51 @@
 function Invoke-InvokeExpressionInjection1
 {
     param($UserInput)
-    Invoke-Expression "Get-Process -Name $UserInput"
+    Invoke-Expression "Get-Process -Name $UserInput" # BAD
 }
 
 function Invoke-InvokeExpressionInjection2
 {
     param($UserInput)
-    iex "Get-Process -Name $UserInput"
+    iex "Get-Process -Name $UserInput" # BAD
 }
 
 function Invoke-InvokeExpressionInjection3
 {
     param($UserInput)
-    $executionContext.InvokeCommand.InvokeScript("Get-Process -Name $UserInput")
+    $executionContext.InvokeCommand.InvokeScript("Get-Process -Name $UserInput") # BAD
 }
 
 function Invoke-InvokeExpressionInjection4
 {
     param($UserInput)
-    $host.Runspace.CreateNestedPipeline("Get-Process -Name $UserInput", $false).Invoke()
+    $host.Runspace.CreateNestedPipeline("Get-Process -Name $UserInput", $false).Invoke() # BAD
 }
 
 function Invoke-InvokeExpressionInjection5
 {
     param($UserInput)
-    [PowerShell]::Create().AddScript("Get-Process -Name $UserInput").Invoke()
+    [PowerShell]::Create().AddScript("Get-Process -Name $UserInput").Invoke() # BAD
 }
 
 function Invoke-InvokeExpressionInjection6
 {
     param($UserInput)
-    Add-Type "public class Foo { $UserInput }"
+    Add-Type "public class Foo { $UserInput }" # BAD
 }
 
 function Invoke-InvokeExpressionInjection7
 {
     param($UserInput)
-    Add-Type -TypeDefinition "public class Foo { $UserInput }"
+    Add-Type -TypeDefinition "public class Foo { $UserInput }" # BAD
 }
 
 function Invoke-InvokeExpressionInjection8
 {
     param($UserInput)
 
     $code = "public class Foo { $UserInput }"
-    Add-Type -TypeDefinition $code
+    Add-Type -TypeDefinition $code # BAD
 }
 
 function Invoke-InvokeExpressionInjectionFP
@@ -72,21 +72,21 @@ function Invoke-ExploitableCommandInjection1
 {
     param($UserInput)
 
-    powershell -command "Get-Process -Name $UserInput"
+    powershell -command "Get-Process -Name $UserInput" # BAD
 }
 
 function Invoke-ExploitableCommandInjection2
 {
     param($UserInput)
 
-    powershell "Get-Process -Name $UserInput"
+    powershell "Get-Process -Name $UserInput" # BAD
 }
 
 function Invoke-ExploitableCommandInjection3
 {
     param($UserInput)
 
-    cmd /c "ping $UserInput"
+    cmd /c "ping $UserInput" # BAD
 }
 
 function Invoke-ScriptBlockInjection1
@@ -95,7 +95,7 @@ function Invoke-ScriptBlockInjection1
 
     ## Often used when making remote connections
 
-    $sb = [ScriptBlock]::Create("Get-Process -Name $UserInput")
+    $sb = [ScriptBlock]::Create("Get-Process -Name $UserInput") # BAD
     Invoke-Command RemoteServer $sb
 }
 
@@ -105,22 +105,22 @@ function Invoke-ScriptBlockInjection2
 
     ## Often used when making remote connections
 
-    $sb = $executionContext.InvokeCommand.NewScriptBlock("Get-Process -Name $UserInput")
+    $sb = $executionContext.InvokeCommand.NewScriptBlock("Get-Process -Name $UserInput") # BAD
     Invoke-Command RemoteServer $sb
 }
 
 function Invoke-MethodInjection1
 {
     param($UserInput)
 
-    Get-Process | Foreach-Object $UserInput
+    Get-Process | Foreach-Object $UserInput # BAD
 }
 
 function Invoke-MethodInjection2
 {
     param($UserInput)
 
-    (Get-Process -Id $pid).$UserInput()
+    (Get-Process -Id $pid).$UserInput() # BAD
 }
 
 
@@ -136,15 +136,15 @@ function Invoke-ExpandStringInjection1
     param($UserInput)
 
     ## Used to attempt a variable resolution
-    $executionContext.InvokeCommand.ExpandString($UserInput)
+    $executionContext.InvokeCommand.ExpandString($UserInput) # BAD
 }
 
 function Invoke-ExpandStringInjection2
 {
     param($UserInput)
 
     ## Used to attempt a variable resolution
-    $executionContext.SessionState.InvokeCommand.ExpandString($UserInput)
+    $executionContext.SessionState.InvokeCommand.ExpandString($UserInput) # BAD
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -1,51 +1,51 @@`
`1`	`1`	`function Invoke-InvokeExpressionInjection1`
`2`	`2`	`{`
`3`	`3`	`param($UserInput)`
`4`		`- Invoke-Expression "Get-Process -Name $UserInput"`
	`4`	`+ Invoke-Expression "Get-Process -Name $UserInput" # BAD`
`5`	`5`	`}`
`6`	`6`
`7`	`7`	`function Invoke-InvokeExpressionInjection2`
`8`	`8`	`{`
`9`	`9`	`param($UserInput)`
`10`		`- iex "Get-Process -Name $UserInput"`
	`10`	`+ iex "Get-Process -Name $UserInput" # BAD`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`function Invoke-InvokeExpressionInjection3`
`14`	`14`	`{`
`15`	`15`	`param($UserInput)`
`16`		`- $executionContext.InvokeCommand.InvokeScript("Get-Process -Name $UserInput")`
	`16`	`+ $executionContext.InvokeCommand.InvokeScript("Get-Process -Name $UserInput") # BAD`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`function Invoke-InvokeExpressionInjection4`
`20`	`20`	`{`
`21`	`21`	`param($UserInput)`
`22`		`- $host.Runspace.CreateNestedPipeline("Get-Process -Name $UserInput", $false).Invoke()`
	`22`	`+ $host.Runspace.CreateNestedPipeline("Get-Process -Name $UserInput", $false).Invoke() # BAD`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`function Invoke-InvokeExpressionInjection5`
`26`	`26`	`{`
`27`	`27`	`param($UserInput)`
`28`		`- [PowerShell]::Create().AddScript("Get-Process -Name $UserInput").Invoke()`
	`28`	`+ [PowerShell]::Create().AddScript("Get-Process -Name $UserInput").Invoke() # BAD`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`function Invoke-InvokeExpressionInjection6`
`32`	`32`	`{`
`33`	`33`	`param($UserInput)`
`34`		`- Add-Type "public class Foo { $UserInput }"`
	`34`	`+ Add-Type "public class Foo { $UserInput }" # BAD`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`function Invoke-InvokeExpressionInjection7`
`38`	`38`	`{`
`39`	`39`	`param($UserInput)`
`40`		`- Add-Type -TypeDefinition "public class Foo { $UserInput }"`
	`40`	`+ Add-Type -TypeDefinition "public class Foo { $UserInput }" # BAD`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`function Invoke-InvokeExpressionInjection8`
`44`	`44`	`{`
`45`	`45`	`param($UserInput)`
`46`	`46`
`47`	`47`	`$code = "public class Foo { $UserInput }"`
`48`		`- Add-Type -TypeDefinition $code`
	`48`	`+ Add-Type -TypeDefinition $code # BAD`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`function Invoke-InvokeExpressionInjectionFP`
`@@ -72,21 +72,21 @@ function Invoke-ExploitableCommandInjection1`
`72`	`72`	`{`
`73`	`73`	`param($UserInput)`
`74`	`74`
`75`		`- powershell -command "Get-Process -Name $UserInput"`
	`75`	`+ powershell -command "Get-Process -Name $UserInput" # BAD`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`function Invoke-ExploitableCommandInjection2`
`79`	`79`	`{`
`80`	`80`	`param($UserInput)`
`81`	`81`
`82`		`- powershell "Get-Process -Name $UserInput"`
	`82`	`+ powershell "Get-Process -Name $UserInput" # BAD`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`function Invoke-ExploitableCommandInjection3`
`86`	`86`	`{`
`87`	`87`	`param($UserInput)`
`88`	`88`
`89`		`- cmd /c "ping $UserInput"`
	`89`	`+ cmd /c "ping $UserInput" # BAD`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`function Invoke-ScriptBlockInjection1`
`@@ -95,7 +95,7 @@ function Invoke-ScriptBlockInjection1`
`95`	`95`
`96`	`96`	`## Often used when making remote connections`
`97`	`97`
`98`		`- $sb = [ScriptBlock]::Create("Get-Process -Name $UserInput")`
	`98`	`+ $sb = [ScriptBlock]::Create("Get-Process -Name $UserInput") # BAD`
`99`	`99`	`Invoke-Command RemoteServer $sb`
`100`	`100`	`}`
`101`	`101`
`@@ -105,22 +105,22 @@ function Invoke-ScriptBlockInjection2`
`105`	`105`
`106`	`106`	`## Often used when making remote connections`
`107`	`107`
`108`		`- $sb = $executionContext.InvokeCommand.NewScriptBlock("Get-Process -Name $UserInput")`
	`108`	`+ $sb = $executionContext.InvokeCommand.NewScriptBlock("Get-Process -Name $UserInput") # BAD`
`109`	`109`	`Invoke-Command RemoteServer $sb`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`function Invoke-MethodInjection1`
`113`	`113`	`{`
`114`	`114`	`param($UserInput)`
`115`	`115`
`116`		`- Get-Process \| Foreach-Object $UserInput`
	`116`	`+ Get-Process \| Foreach-Object $UserInput # BAD`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`function Invoke-MethodInjection2`
`120`	`120`	`{`
`121`	`121`	`param($UserInput)`
`122`	`122`
`123`		`- (Get-Process -Id $pid).$UserInput()`
	`123`	`+ (Get-Process -Id $pid).$UserInput() # BAD`
`124`	`124`	`}`
`125`	`125`
`126`	`126`
`@@ -136,15 +136,15 @@ function Invoke-ExpandStringInjection1`
`136`	`136`	`param($UserInput)`
`137`	`137`
`138`	`138`	`## Used to attempt a variable resolution`
`139`		`- $executionContext.InvokeCommand.ExpandString($UserInput)`
	`139`	`+ $executionContext.InvokeCommand.ExpandString($UserInput) # BAD`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`function Invoke-ExpandStringInjection2`
`143`	`143`	`{`
`144`	`144`	`param($UserInput)`
`145`	`145`
`146`	`146`	`## Used to attempt a variable resolution`
`147`		`- $executionContext.SessionState.InvokeCommand.ExpandString($UserInput)`
	`147`	`+ $executionContext.SessionState.InvokeCommand.ExpandString($UserInput) # BAD`
`148`	`148`	`}`
`149`	`149`
`150`	`150`