-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule for the use of the command: [ScriptBlock]::Create #1454
Comments
The InjectionHunter module already provides a set of custom PSSA rules for that. |
I agree, the only thing that worries me is that this Issue #989 is open for more then 2 years with hardly any activity. Creating a Anyways, I leave it up to you to close this issue (or not). |
It is the nature of open source projects that many issues don't get picked up due to a lack of resourcing or prioritisation. If you want, feel free to create a PR just for that rule. |
Personally my preference would be to just enhance the Invoke-Expression rule; it's not well named, but I think the spirit of the rule is "avoid arbitrary script evaluation", which this is |
@bergmeister, sorry for my late reaction, I never did a formal PR before, I feel that I first need some more time to familiarize myself with the processes behind but I am to busy at the moment with some other projects. |
Just an additional note: Like $Test = 'test $("test" | Set-Content .\test.txt) 123'
$ExecutionContext.InvokeCommand.ExpandString($Test) |
Summary of the new feature
Check for the use of the command:
[ScriptBlock]::Create
And return a warning like:
For the same reason as
PSAvoidUsingInvokeExpression
,[ScriptBlock]::Create
should not be used as it fabricates a[ScriptBlock]
based on input that either originates from somewhere the script author does not have control over or could be a hardcoded as an expression{ ... }
otherwise.See also:
#12377
What is the latest version of PSScriptAnalyzer at the point of writing
1.18.3
The text was updated successfully, but these errors were encountered: