PSScriptAnalyzer icon indicating copy to clipboard operation
PSScriptAnalyzer copied to clipboard
verified publisher icon PowerShell

Integrate Injection Hunter with PSSA

Open SteveL-MSFT opened this issue 7 years ago • 3 comments

Injection Hunter is a module that has rules to detect coding practices leading to injection attacks. We should integrate this module with PSSA.

SteveL-MSFT avatar May 07 '18 19:05 SteveL-MSFT

The rules defined are:

  • Measure-InvokeExpression : I think we do not need to port this because there is already a AvoidUsingInvokeExpression rule
  • Measure-AddType
  • Measure-DangerousMethod
  • Measure-CommandInjection
  • Measure-ForeachObjectInjection
  • Measure-PropertyInjection
  • Measure-MethodInjection : This one is
  • Measure-UnsafeEscaping

Some comments:

  • Measure-MethodInjection and Measure-PropertyInjection look a bit odd, as they flag any InvokeMemberExpressionAst with non-constant input, which will flag 90% of all PowerShell scripts because that's the purpose of PowerShell scripting. The community has told us in the past that they do not like excessive false positives.
  • Measure-CommandInjection is too simple to me, it just looks for command strings matching cmd|powershell and command elements matching/c|/k|command. And I am not even talking about obfuscation. Measure-DangerousMethod is simplistic as well but I can see the value in some of is searches.

Overall this module is a good example of code that is easily portable to C# But all those decision are of course up to you.

Did @LeeHolmes write this module? At the moment there is no licensing information about it.

bergmeister avatar May 08 '18 18:05 bergmeister

@bergmeister Yes, I believe that module was written by @LeeHolmes .

SteveL-MSFT avatar May 10 '18 03:05 SteveL-MSFT

This request makes a lot of sense to me, knowing that:

  • The PSScriptAnalyzer security policy apparently changed recently and considered important.
    • Where if the statement "Microsoft takes the security of our software products and services seriously" really counts, it should be propagated to the next tier, meaning helping users to avoid writing scripts that might expose security (injection) risks (as I see it, this is something for the PSScriptAnalyzer to reveal)
  • The InjectionHuner module on the PowerShell Gallery appears outdated, no longer maintained and has some known (unqualified) issues, see: https://github.com/matt2005/InjectionHunter

iRon7 avatar Aug 13 '24 09:08 iRon7