From 17f9c9a0b528c105edea505035ec7694d7479a80 Mon Sep 17 00:00:00 2001 From: Chanel Young Date: Thu, 9 Jan 2025 10:22:32 -0800 Subject: [PATCH 1/2] invoke expression powershell query --- .../cwe-078/DoNotUseInvokeExpression.ql | 16 +++++++++ .../cwe-078/DoNotuseInvokeExpression.qhelp | 33 +++++++++++++++++++ .../DoNotUseInvokeExpression.expected | 1 + .../DoNotUseInvokeExpression.qlref | 1 + .../cwe-078/DoNotUseInvokeExpression/test.ps1 | 2 ++ 5 files changed, 53 insertions(+) create mode 100644 powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql create mode 100644 powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp create mode 100644 powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected create mode 100644 powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref create mode 100644 powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 diff --git a/powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql b/powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql new file mode 100644 index 000000000000..c0b88293a011 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-078/DoNotUseInvokeExpression.ql @@ -0,0 +1,16 @@ +/** + * @name Use of Invoke-Expression + * @description Do not use Invoke-Expression + * @kind problem + * @problem.severity error + * @security-severity 9.8 + * @precision high + * @id powershell/do-not-use-invoke-expression + * @tags security + */ +import powershell +import semmle.code.powershell.dataflow.DataFlow + +from CmdCall call +where call.getName() = "Invoke-Expression" +select call, "Do not use Invoke-Expression. It is a command injection risk." \ No newline at end of file diff --git a/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp b/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp new file mode 100644 index 000000000000..cc6ff7496ee0 --- /dev/null +++ b/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp @@ -0,0 +1,33 @@ + + + +

+Invoke-Expression cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using Invoke-Expression can lead to arbitrary commands being executed

+ + + + +

Avoid using Invoke-Expression in your powershell code.

+ +

If you’re running some command and the command path has spaces in it, then you need the command invocation operator &

+ + + + +
  • +Powershell: +Invoke-Expression considered harmful. +
    • +
  • +PSScriptAnalyzer: +AvoidUsingInvokeExpression +
    • +
  • +StackOverflow: +In what scenario was Invoke-Expression designed to be used? +
    • + +     +     diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected new file mode 100644 index 000000000000..3b7235e641f0 --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.expected @@ -0,0 +1 @@ +| test.ps1:2:1:2:27 | call to Invoke-Expression | Do not use Invoke-Expression. It is a command injection risk. | diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref new file mode 100644 index 000000000000..a006f78d20b4 --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/DoNotUseInvokeExpression.qlref @@ -0,0 +1 @@ +queries/security/cwe-078/DoNotUseInvokeExpression.ql \ No newline at end of file diff --git a/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 new file mode 100644 index 000000000000..e075312b4b68 --- /dev/null +++ b/powershell/ql/test/query-tests/security/cwe-078/DoNotUseInvokeExpression/test.ps1 @@ -0,0 +1,2 @@ +$command = "Get-Process" +Invoke-Expression $Command \ No newline at end of file From 7f5e5ffa373fc6065f05160a150e085261c66b58 Mon Sep 17 00:00:00 2001 From: Chanel <102255874+chanel-y@users.noreply.github.com> Date: Thu, 9 Jan 2025 10:41:16 -0800 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Mathias Vorreiter Pedersen --- .../queries/security/cwe-078/DoNotuseInvokeExpression.qhelp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp b/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp index cc6ff7496ee0..cf7d1bbeb681 100644 --- a/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp +++ b/powershell/ql/src/queries/security/cwe-078/DoNotuseInvokeExpression.qhelp @@ -4,12 +4,12 @@

    -Invoke-Expression cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using Invoke-Expression can lead to arbitrary commands being executed

    +Invoke-Expression cmdlet should only be used as a last resort. In most scenarios, safer and more robust alternatives are available. Using Invoke-Expression can lead to arbitrary commands being executed

     -

    Avoid using Invoke-Expression in your powershell code.

    +

    Avoid using Invoke-Expression in your powershell code.

    If you’re running some command and the command path has spaces in it, then you need the command invocation operator &