Psscriptanalyzer port

powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.qhelp

@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The use of the AsPlainText parameter with the ConvertTo-SecureString command can expose secure information.</p>
+
+</overview>
+<recommendation>
+<p>
+If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the <a href="https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretStore">SecretStore</a> module from the PowerShell Gallery.
+</p>
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingconverttosecurestringwithplaintext?view=ps-modules">AvoidUsingConvertToSecureStringWithPlainText</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Use of the AsPlainText parameter in ConvertTo-SecureString
+ * @description Do not use the AsPlainText parameter in ConvertTo-SecureString
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/convert-to-securestring-as-plaintext
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+ from CmdCall c 
+ where 
+ c.getName() = "ConvertTo-SecureString" and
+ c.hasNamedArgument("asplaintext")
+ select c, "Use of AsPlainText parameter in ConvertTo-SecureString call"

powershell/ql/src/experimental/HardcodedComputerName.qhelp

@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The names of computers should never be hard coded as this will expose sensitive information. The <code>ComputerName</code> parameter should never have a hard coded value.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove hardcoded computer names.</p>
+
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingcomputernamehardcoded?view=ps-modules">AvoidUsingComputerNameHardcoded</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>

powershell/ql/src/experimental/HardcodedComputerName.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Hardcoded Computer Name
+ * @description Do not hardcode computer names
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/hardcoded-computer-name
+ * @tags correctness
+ *       security
+ */
+
+import powershell
+
+from Argument a 
+where a.getName() = "computername" and exists(a.getValue())
+select a, "ComputerName argument is hardcoded to" + a.getValue()

powershell/ql/src/experimental/UseOfReservedCmdletChar.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+You cannot use following reserved characters in a function or cmdlet name as these can cause parsing or runtime errors.
+
+Reserved Characters include: #,(){}[]&/\\$^;:\"'<>|?@`*%+=~
+</p>
+
+</overview>
+<recommendation>
+
+<p>Remove reserved characters from names.</p>
+
+</recommendation>
+<references>
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/reservedcmdletchar?view=ps-modules">ReservedCmdletChar</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UseOfReservedCmdletChar.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Reserved Characters in Function Name
+ * @description Do not use reserved characters in function names
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/reserved-characters-in-function-name
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+class ReservedCharacter extends string {
+    ReservedCharacter() { 
+        this = [
+        "!", "@", "#", "$",
+        "&", "*", "(", ")", 
+        "+", "=", "{", "^", 
+        "}", "[", "]", "|", 
+        ";", ":", "'", "\"", 
+        "<", ">", ",", "?", 
+        "/", "~"]
+    }
+}
+
+from Function f, ReservedCharacter r
+where f.getName().matches("%"+ r + "%")
+select f, "Function name contains a reserved character: " + r

powershell/ql/src/experimental/UsernameOrPasswordParameter.qhelp

@@ -0,0 +1,24 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>To standardize command parameters, credentials should be accepted as objects of type <code>PSCredential</code>. Functions should not make use of username or password parameters.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Change the parameter to type <code>PSCredential</code>.</p>
+
+</recommendation>
+<references>
+
+
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingusernameandpasswordparams?view=ps-modules">AvoidUsingUsernameAndPasswordParams</a>.
+</li>
+
+</references>
+</qhelp>

powershell/ql/src/experimental/UsernameOrPasswordParameter.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Use of Username or Password parameter
+ * @description Do not use username or password parameters
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/username-or-password-parameter
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+from Parameter p
+where p.getName().toLowerCase() = ["username", "password"]
+select p, "Do not use username or password parameters."

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.expected

@@ -0,0 +1 @@
+| test.ps1:2:19:2:79 | Call to ConvertTo-SecureString | Use of AsPlainText parameter in ConvertTo-SecureString call |

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.qlref

@@ -0,0 +1 @@
+experimental/ConvertToSecureStringAsPlainText.ql

powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/test.ps1

@@ -0,0 +1,4 @@
+$UserInput = Read-Host 'Please enter your secure code'
+$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
+
+$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString

powershell/ql/test/query-tests/security/HardcodedComputerName/HardcodedComputerName.expected

@@ -0,0 +1,2 @@
+| test.ps1:3:44:3:65 | hardcoderemotehostname | ComputerName argument is hardcoded tohardcoderemotehostname |
+| test.ps1:13:44:13:64 | hardcodelocalhostname | ComputerName argument is hardcoded tohardcodelocalhostname |

powershell/ql/test/query-tests/security/HardcodedComputerName/HardcodedComputerName.qlref

@@ -0,0 +1 @@
+experimental/HardcodedComputerName.ql

powershell/ql/test/query-tests/security/HardcodedComputerName/test.ps1

@@ -0,0 +1,19 @@
+Function Invoke-MyRemoteCommand ()
+{
+    Invoke-Command -Port 343 -ComputerName hardcoderemotehostname
+}
+
+Function Invoke-MyCommand ($ComputerName)
+{
+    Invoke-Command -Port 343 -ComputerName $ComputerName
+}
+
+Function Invoke-MyLocalCommand ()
+{
+    Invoke-Command -Port 343 -ComputerName hardcodelocalhostname
+}
+
+Function Invoke-MyLocalCommand ()
+{
+    Invoke-Command -Port 343 -ComputerName $env:COMPUTERNAME
+}

powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/UseOfReservedCmdletChar.expected

@@ -0,0 +1,2 @@
+| test.ps1:1:1:2:5 | MyFunction[1] | Function name contains a reserved character: [ |
+| test.ps1:1:1:2:5 | MyFunction[1] | Function name contains a reserved character: ] |

powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/UseOfReservedCmdletChar.qlref

@@ -0,0 +1 @@
+experimental/UseOfReservedCmdletChar.ql

powershell/ql/test/query-tests/security/UseOfReservedCmdletChar/test.ps1

@@ -0,0 +1,2 @@
+function MyFunction[1]
+{...}

powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/UsernameOrPasswordParameter.expected

@@ -0,0 +1,2 @@
+| test.ps1:6:9:7:17 | Username | Do not use username or password parameters. |
+| test.ps1:8:9:9:17 | Password | Do not use username or password parameters. |

powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/UsernameOrPasswordParameter.qlref

@@ -0,0 +1 @@
+experimental/UsernameOrPasswordParameter.ql

powershell/ql/test/query-tests/security/UsernameOrPasswordParameter/test.ps1

@@ -0,0 +1,11 @@
+function Test-Script
+{
+    [CmdletBinding()]
+    Param
+    (
+        [String]
+        $Username,
+        [SecureString]
+        $Password
+    )
+}