Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rule for the use of the command: [ScriptBlock]::Create #1454

Closed
iRon7 opened this issue Apr 20, 2020 · 7 comments
Closed

Rule for the use of the command: [ScriptBlock]::Create #1454

iRon7 opened this issue Apr 20, 2020 · 7 comments
Labels
Area - Rules Issue - New Rule

Comments

@iRon7
Copy link

iRon7 commented Apr 20, 2020

Summary of the new feature
Check for the use of the command: [ScriptBlock]::Create

And return a warning like:

[ScriptBlock]::Create is used. Please remove [ScriptBlock]::Create from script and find other options instead.

For the same reason as PSAvoidUsingInvokeExpression, [ScriptBlock]::Create should not be used as it fabricates a [ScriptBlock] based on input that either originates from somewhere the script author does not have control over or could be a hardcoded as an expression { ... } otherwise.

See also:

What is the latest version of PSScriptAnalyzer at the point of writing
1.18.3
@ghost ghost added the Needs: Triage 🔍 label Apr 20, 2020
@bergmeister
Copy link
Collaborator

The InjectionHunter module already provides a set of custom PSSA rules for that.
Issue #989 is tracking its integration into the built in rules of PSSA. Therefore I am inclined to close this issue, what do you think?

@iRon7
Copy link
Author

iRon7 commented Apr 20, 2020

I agree, the only thing that worries me is that this Issue #989 is open for more then 2 years with hardly any activity. Creating a PSAvoidUsingScriptBlockCreate rule (based on the PSAvoidUsingInvokeExpression rule) is likely much easier to implement.
The purposed PSAvoidUsingScriptBlockCreate rule can simply follow the same life cycle as the PSAvoidUsingInvokeExpression rule, meaning remove/disable it when the Injection Hunter has been integrated into PSSA.

Anyways, I leave it up to you to close this issue (or not).

@bergmeister
Copy link
Collaborator

It is the nature of open source projects that many issues don't get picked up due to a lack of resourcing or prioritisation. If you want, feel free to create a PR just for that rule.

@iRon7 iRon7 mentioned this issue Apr 25, 2020
Closed
@bergmeister
Copy link
Collaborator

@iRon7 Do you plan to open a PR? If not, I am going to close in favour of the existing issue #989

@rjmholt
Copy link
Contributor

rjmholt commented May 1, 2020

Personally my preference would be to just enhance the Invoke-Expression rule; it's not well named, but I think the spirit of the rule is "avoid arbitrary script evaluation", which this is

@iRon7
Copy link
Author

iRon7 commented May 2, 2020
edited

@bergmeister, sorry for my late reaction, I never did a formal PR before, I feel that I first need some more time to familiarize myself with the processes behind but I am to busy at the moment with some other projects.
In other words, I have closed the issue for now as I can always reopen it if I feel more confident and there is no progress with #989.

@iRon7 iRon7 closed this as completed May 2, 2020
@iRon7
Copy link
Author

iRon7 commented May 10, 2020
edited

Just an additional note:

Like Invoke-Expression and [ScriptBlock]::Create(), $ExecutionContext.InvokeCommand.ExpandString could also be exploit by malicious code injections, e.g.:

$Test = 'test $("test" | Set-Content .\test.txt) 123'
$ExecutionContext.InvokeCommand.ExpandString($Test)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area - Rules Issue - New Rule
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rjmholt @iRon7 @bergmeister @SydneyhSmith