Skip to content
This repository was archived by the owner on Feb 24, 2021. It is now read-only.
This repository was archived by the owner on Feb 24, 2021. It is now read-only.

Security Auditing for PowerShell Scripts #278

Open
Open
Security Auditing for PowerShell Scripts#278
Labels
enhancementThe issue is an enhancement request.help wantedThe issue is up for grabs for anyone in the community.
@johlju

Description

@johlju
johlju
opened on Aug 9, 2018

As read here: PowerShell Injection Hunter: Security Auditing for PowerShell Scripts}

We could make a opt-in test that checks for this. Maybe it should not fail the tests, but at least outputs warnings when not opt-in. There is an issue in SqlServerDsc that is not possible to resolve (I think), but would be good to at least get a warning about it.

Install-Module -Name InjectionHunter
cd C:\source\SqlServerDsc
$invokeScriptAnalyzerParameters = @{
    Path = '.\DSCResources\MSFT_SqlAG\MSFT_SqlAG.psm1'
    CustomRulePath = @(
        '.\DSCResource.Tests\DscResource.AnalyzerRules\'
        (Get-Module -Name InjectionHunter -ListAvailable).Path
    )
}

Invoke-ScriptAnalyzer @invokeScriptAnalyzerParameters
RuleName                            Severity     ScriptName Line  Message
--------                            --------     ---------- ----  -------
PSDSCDscExamplesPresent             Information  MSFT_SqlAG 1     No examples found for resource 'MSFT_SqlAG'
                                                 .psm1
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 18    There is no call to Write-Verbose in DSC function
                                                 .psm1            'Get-TargetResource'. If you are using Write-Verbose
                                                                  in a helper function, suppress this rule application.
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 146   There is no call to Write-Verbose in DSC function
                                                 .psm1            'Set-TargetResource'. If you are using Write-Verbose
                                                                  in a helper function, suppress this rule application.
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 522   There is no call to Write-Verbose in DSC function
                                                 .psm1            'Test-TargetResource'. If you are using
                                                                  Write-Verbose in a helper function, suppress this
                                                                  rule application.
DscResource.AnalyzerRules\FunctionO Warning      MSFT_SqlAG 18    Functions should not have the open brace on the same
peningBraceNotOnSameLine                         .psm1            line as the function name. See https://github.com/Pow
                                                                  erShell/DscResources/blob/master/StyleGuidelines.md#o
                                                                  ne-newline-before-braces
InjectionRisk.StaticPropertyInjecti Warning      MSFT_SqlAG 687   Possible property access injection via dynamic
on                                               .psm1            member access. Untrusted input can cause arbitrary
                                                                  static properties to be accessed:
                                                                  $getTargetResourceResult.($parameterName)

The code it warns on is this.
https://github.com/PowerShell/SqlServerDsc/blob/6d4251265c4cb9ad63a02615b9b78759f6a1d086/DSCResources/MSFT_SqlAG/MSFT_SqlAG.psm1#L688-L693

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementThe issue is an enhancement request.help wantedThe issue is up for grabs for anyone in the community.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions