PSScriptAnalyzer icon indicating copy to clipboard operation
PSScriptAnalyzer copied to clipboard
verified publisher icon PowerShell

Rule Request: `AvoidPlaintextParameterPasswords`

Open iRon7 opened this issue 2 months ago • 0 comments

Similar to the rule AvoidUsingPlainTextForPassword, passing plaintext passwords to external/binary cmdlets should be avoided.

This includes cmdlets as e.g.:

PS C:\> Get-Command -ParameterName Password

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Register-ScheduledTask                             1.0.0.0    ScheduledTasks
Function        Set-ScheduledTask                                  1.0.0.0    ScheduledTasks

But could potentially any imported (binary) cmdlet with a bound parameter named Password and of type String Knowing that the AvoidUsingPlainTextForPassword rule might not capture the security risk when using a different variable name(e.g. -Password $Wachtwoord) or a password that is statically provided:

Invoke-ScriptAnalyzer -ScriptDefinition {
Set-ScheduledTask -TaskName 'SoftwareScan' -Trigger $Time -User 'User' -Password 'P@ssw0rd'
}.ToString()

Related:

  • Rule request: AvoidSecureStringDisclosure #1997
  • PowerShell issue: https://github.com/PowerShell/PowerShell/issues/26366 and https://github.com/PowerShell/PowerShell/issues/16502
  • Document issue: https://github.com/MicrosoftDocs/windows-powershell-docs/issues/4051

iRon7 avatar Nov 03 '25 19:11 iRon7