Skip to content

Powershell command injection updates #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MathiasVP merged 6 commits into from
Sep 5, 2025
Merged

Powershell command injection updates #278

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a5a632f
added cmdletbinding case to tests
chanel-y Sep 3, 2025
b3dbe20
adding powershell cmd injection critical query, updated unit test res…
chanel-y Sep 3, 2025
5e0ef92
adding Start-Process as sink
chanel-y Sep 3, 2025
e66ae68
add ValidateAttribute case
chanel-y Sep 4, 2025
72f8680
remove Invoke-WebRequest as source
chanel-y Sep 4, 2025
44ed048
Merge branch 'main' into powershell-cmd-injection-updates
MathiasVP Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,19 @@ module CommandInjection {
class FlowSourceAsSource extends Source {
FlowSourceAsSource() {
this instanceof SourceNode and
not this instanceof EnvironmentVariableSource
not this instanceof EnvironmentVariableSource and
not this instanceof InvokeWebRequest
Copy link
Collaborator

@MathiasVP MathiasVP Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we only remove it when it's given a constant string literal as a source? Or do you think it's better to totally remove it like you're doing here?

Copy link
Author

@chanel-y chanel-y Sep 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think totally remove it. It could be a case if there's flow from user input -> InvokeWebRequest -> command call, but that's more of an SSRF vuln first, which we can model as a separate query

}

override string getSourceType() { result = "user-provided value" }
}

class InvokeWebRequest extends DataFlow::CallNode {
InvokeWebRequest(){
this.matchesName("Invoke-WebRequest")
}
}

/**
* A command argument to a function that initiates an operating system command.
*/
Expand Down
38 changes: 19 additions & 19 deletions powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,14 @@ edges
| test.ps1:185:42:185:47 | input | test.ps1:144:11:144:20 | userinput | provenance | |
| test.ps1:186:58:186:63 | input | test.ps1:153:11:153:20 | userinput | provenance | |
| test.ps1:187:41:187:46 | input | test.ps1:159:11:159:20 | userinput | provenance | |
| test.ps1:245:5:245:6 | o | test.ps1:248:7:248:10 | $o | provenance | |
| test.ps1:245:10:245:32 | Call to read-host | test.ps1:245:5:245:6 | o | provenance | Src:MaD:0 |
| test.ps1:256:5:256:10 | input | test.ps1:257:5:257:21 | env:bar | provenance | |
| test.ps1:256:5:256:10 | input | test.ps1:257:5:257:21 | env:bar | provenance | |
| test.ps1:256:14:256:36 | Call to read-host | test.ps1:256:5:256:10 | input | provenance | Src:MaD:0 |
| test.ps1:256:14:256:36 | Call to read-host | test.ps1:256:5:256:10 | input | provenance | Src:MaD:0 |
| test.ps1:257:5:257:21 | env:bar | test.ps1:259:5:259:6 | y | provenance | |
| test.ps1:259:5:259:6 | y | test.ps1:260:7:260:10 | $y | provenance | |
| test.ps1:254:5:254:6 | o | test.ps1:257:7:257:10 | $o | provenance | |
| test.ps1:254:10:254:32 | Call to read-host | test.ps1:254:5:254:6 | o | provenance | Src:MaD:0 |
| test.ps1:265:5:265:10 | input | test.ps1:266:5:266:21 | env:bar | provenance | |
| test.ps1:265:5:265:10 | input | test.ps1:266:5:266:21 | env:bar | provenance | |
| test.ps1:265:14:265:36 | Call to read-host | test.ps1:265:5:265:10 | input | provenance | Src:MaD:0 |
| test.ps1:265:14:265:36 | Call to read-host | test.ps1:265:5:265:10 | input | provenance | Src:MaD:0 |
| test.ps1:266:5:266:21 | env:bar | test.ps1:268:5:268:6 | y | provenance | |
| test.ps1:268:5:268:6 | y | test.ps1:269:7:269:10 | $y | provenance | |
nodes
| test.ps1:3:11:3:20 | userinput | semmle.label | userinput |
| test.ps1:4:23:4:52 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
Expand Down Expand Up @@ -133,15 +133,15 @@ nodes
| test.ps1:185:42:185:47 | input | semmle.label | input |
| test.ps1:186:58:186:63 | input | semmle.label | input |
| test.ps1:187:41:187:46 | input | semmle.label | input |
| test.ps1:245:5:245:6 | o | semmle.label | o |
| test.ps1:245:10:245:32 | Call to read-host | semmle.label | Call to read-host |
| test.ps1:248:7:248:10 | $o | semmle.label | $o |
| test.ps1:256:5:256:10 | input | semmle.label | input |
| test.ps1:256:5:256:10 | input | semmle.label | input |
| test.ps1:256:14:256:36 | Call to read-host | semmle.label | Call to read-host |
| test.ps1:257:5:257:21 | env:bar | semmle.label | env:bar |
| test.ps1:259:5:259:6 | y | semmle.label | y |
| test.ps1:260:7:260:10 | $y | semmle.label | $y |
| test.ps1:254:5:254:6 | o | semmle.label | o |
| test.ps1:254:10:254:32 | Call to read-host | semmle.label | Call to read-host |
| test.ps1:257:7:257:10 | $o | semmle.label | $o |
| test.ps1:265:5:265:10 | input | semmle.label | input |
| test.ps1:265:5:265:10 | input | semmle.label | input |
| test.ps1:265:14:265:36 | Call to read-host | semmle.label | Call to read-host |
| test.ps1:266:5:266:21 | env:bar | semmle.label | env:bar |
| test.ps1:268:5:268:6 | y | semmle.label | y |
| test.ps1:269:7:269:10 | $y | semmle.label | $y |
subpaths
#select
| test.ps1:4:23:4:52 | Get-Process -Name $UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
Expand All @@ -164,5 +164,5 @@ subpaths
| test.ps1:147:63:147:72 | UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:147:63:147:72 | UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
| test.ps1:154:23:154:52 | Get-Process -Name $UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:154:23:154:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
| test.ps1:160:29:160:38 | UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:160:29:160:38 | UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
| test.ps1:248:7:248:10 | $o | test.ps1:245:10:245:32 | Call to read-host | test.ps1:248:7:248:10 | $o | This command depends on a $@. | test.ps1:245:10:245:32 | Call to read-host | user-provided value |
| test.ps1:260:7:260:10 | $y | test.ps1:256:14:256:36 | Call to read-host | test.ps1:260:7:260:10 | $y | This command depends on a $@. | test.ps1:256:14:256:36 | Call to read-host | user-provided value |
| test.ps1:257:7:257:10 | $o | test.ps1:254:10:254:32 | Call to read-host | test.ps1:257:7:257:10 | $o | This command depends on a $@. | test.ps1:254:10:254:32 | Call to read-host | user-provided value |
| test.ps1:269:7:269:10 | $y | test.ps1:265:14:265:36 | Call to read-host | test.ps1:269:7:269:10 | $y | This command depends on a $@. | test.ps1:265:14:265:36 | Call to read-host | user-provided value |
9 changes: 9 additions & 0 deletions powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,15 @@ Invoke-ExpandStringInjection2 -UserInput $input
Invoke-InvokeExpressionInjectionCmdletBinding -userInput $input
Invoke-StartProcessInjection -UserInput $input

function Get-NugetHardcoded
{
Invoke-WebRequest "https://somehardcodedwebsite.org/somefile.exe" -OutFile $webRequestResultSafe
return $webRequestResultSafe
}

$nugetPathSafe = Get-NugetHardcoded
. $nugetPathSafe

#typed input
function Invoke-InvokeExpressionInjectionSafe1
{
Expand Down
Loading