PS: Add documentation.

MathiasVP · MathiasVP · commit f7c9899450c2 · 2025-07-04T19:44:39.000+01:00
diff --git a/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.qhelp b/powershell/ql/src/queries/security/cwe-250/InsecureExecutionPolicy.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The command <code>Set-ExecutionPolicy</code> is used to set the execution policies for Windows computers.
+The execution policy is used to determine which configuration files can be loaded and which scripts can be run.
+Setting the execution policy to <code>Bypass</code> disables all warnings and signature checks for script execution,
+allowing any script—including malicious or unsigned code—to run without restriction.</p>
+</overview>
+
+<recommendation>
+<p>Always prefer <code>AllSigned</code> to enforce full signature verification.</p>
+<p>If this is not possible, set the execution policy to <code>RemoteSigned</code> to allow local scripts while requiring downloaded scripts to be signed.</p>
+<p>Always limit the scope of the execution policy by supplying the most restrictive <code>Scope</code> as possible. Use <code>Process</code> to limit the execution policy to the current PowerShell session. When no <code>Scope</code> is supplied the execution policy change is applied system-wide.
+</recommendation>
+
+<example>
+<p>In the following example, <code>Set-ExecutionPolicy</code> is called twice</p>
+
+<p>The first call sets the execution policy to <code>Bypass</code> which allows any script to be run.</p>
+
+<p>The second call sets the execution policy to <code>RemoteSigned</code> which allows local scripts to be run,
+but requires scripts and configurations downloaded from the Internet to be signed.</p>
+
+<sample src="examples/InsecureExecutionPolicy.ps1" />
+</example>
+
+<references>
+<li>MSDN: <a href="https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy">Set-ExecutionPolicy</a>.</li>
+</references>
+</qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-250/examples/InsecureExecutionPolicy.ps1 b/powershell/ql/src/queries/security/cwe-250/examples/InsecureExecutionPolicy.ps1
@@ -0,0 +1,9 @@
+Invoke-WebRequest -Uri "https://example.com/script.ps1" -OutFile "C:\Path\To\script.ps1"
+
+# BAD: No warnings or prompts when running potentially unsafe scripts
+Set-ExecutionPolicy Bypass
+& "C:\Path\To\script.ps1" # Will never be blocked
+
+# GOOD: Requires that scripts and configuration files downloaded from the Internet are signed
+Set-ExecutionPolicy RemoteSigned
+& "C:\Path\To\script.ps1" # Will not run unless script.ps1 is signed
