Security Auditing for PowerShell Scripts #278

johlju · 2018-08-09T08:57:04Z

As read here: PowerShell Injection Hunter: Security Auditing for PowerShell Scripts}

We could make a opt-in test that checks for this. Maybe it should not fail the tests, but at least outputs warnings when not opt-in. There is an issue in SqlServerDsc that is not possible to resolve (I think), but would be good to at least get a warning about it.

Install-Module -Name InjectionHunter
cd C:\source\SqlServerDsc
$invokeScriptAnalyzerParameters = @{
    Path = '.\DSCResources\MSFT_SqlAG\MSFT_SqlAG.psm1'
    CustomRulePath = @(
        '.\DSCResource.Tests\DscResource.AnalyzerRules\'
        (Get-Module -Name InjectionHunter -ListAvailable).Path
    )
}

Invoke-ScriptAnalyzer @invokeScriptAnalyzerParameters

RuleName                            Severity     ScriptName Line  Message
--------                            --------     ---------- ----  -------
PSDSCDscExamplesPresent             Information  MSFT_SqlAG 1     No examples found for resource 'MSFT_SqlAG'
                                                 .psm1
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 18    There is no call to Write-Verbose in DSC function
                                                 .psm1            'Get-TargetResource'. If you are using Write-Verbose
                                                                  in a helper function, suppress this rule application.
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 146   There is no call to Write-Verbose in DSC function
                                                 .psm1            'Set-TargetResource'. If you are using Write-Verbose
                                                                  in a helper function, suppress this rule application.
PSDSCUseVerboseMessageInDSCResource Information  MSFT_SqlAG 522   There is no call to Write-Verbose in DSC function
                                                 .psm1            'Test-TargetResource'. If you are using
                                                                  Write-Verbose in a helper function, suppress this
                                                                  rule application.
DscResource.AnalyzerRules\FunctionO Warning      MSFT_SqlAG 18    Functions should not have the open brace on the same
peningBraceNotOnSameLine                         .psm1            line as the function name. See https://github.com/Pow
                                                                  erShell/DscResources/blob/master/StyleGuidelines.md#o
                                                                  ne-newline-before-braces
InjectionRisk.StaticPropertyInjecti Warning      MSFT_SqlAG 687   Possible property access injection via dynamic
on                                               .psm1            member access. Untrusted input can cause arbitrary
                                                                  static properties to be accessed:
                                                                  $getTargetResourceResult.($parameterName)

The code it warns on is this.
https://github.com/PowerShell/SqlServerDsc/blob/6d4251265c4cb9ad63a02615b9b78759f6a1d086/DSCResources/MSFT_SqlAG/MSFT_SqlAG.psm1#L688-L693

The text was updated successfully, but these errors were encountered:

johlju added enhancement The issue is an enhancement request. help wanted The issue is up for grabs for anyone in the community. labels Aug 9, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Auditing for PowerShell Scripts #278

Security Auditing for PowerShell Scripts #278

johlju commented Aug 9, 2018

Security Auditing for PowerShell Scripts #278

Security Auditing for PowerShell Scripts #278

Comments

johlju commented Aug 9, 2018