Merge pull request #281 from microsoft/do-not-warn-on-inputfile

MathiasVP · web-flow · commit 7a96fec4fa47 · 2025-09-09T19:45:10.000+01:00
PS: Do not alert on `inputfile` in the SQL injection query
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll
@@ -57,8 +57,8 @@ module SqlInjection {
       exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") |
         this = call.getNamedArgument(query())
         or
-        this = call.getNamedArgument(inputfile())
-        or
+        // If the input is not provided as a query parameter or an input file
+        // parameter then it's the first argument.
         not call.hasNamedArgument(query()) and
         not call.hasNamedArgument(inputfile()) and
         this = call.getArgument(0)
diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1
@@ -109,4 +109,6 @@ function TakesTypedParameters([int]$i, [long]$l, [float]$f, [double]$d, [decimal
 TakesTypedParameters $userinput $userinput $userinput $userinput $userinput $userinput $userinput $userinput
 
 $query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'"
-Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM MyTable" # GOOD
+Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM MyTable" # GOOD
+
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -InputFile $userinput # GOOD # this is not really what this query is about.
