add ValidateAttribute case

chanel-y · chanel-y · commit e66ae683e23c · 2025-09-04T10:41:38.000-07:00
diff --git a/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
@@ -228,6 +228,17 @@ module CommandInjection {
     }
   }
 
+    class ValidateAttributeSanitizer extends Sanitizer {
+    ValidateAttributeSanitizer() {
+      exists(Function f, Attribute a, Parameter p |
+        p = f.getAParameter() and
+        p.getAnAttribute() = a and 
+        a.getName() = ["ValidateScript", "ValidateSet", "ValidatePattern"] and
+        this.asParameter() = p
+      )
+    }
+  }
+
   class SingleQuoteSanitizer extends Sanitizer {
     SingleQuoteSanitizer() {
       exists(ExpandableStringExpr e, VarReadAccess v |
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
@@ -61,14 +61,14 @@ edges
 | test.ps1:185:42:185:47 | input | test.ps1:144:11:144:20 | userinput | provenance |  |
 | test.ps1:186:58:186:63 | input | test.ps1:153:11:153:20 | userinput | provenance |  |
 | test.ps1:187:41:187:46 | input | test.ps1:159:11:159:20 | userinput | provenance |  |
-| test.ps1:228:5:228:6 | o | test.ps1:231:7:231:10 | $o | provenance |  |
-| test.ps1:228:10:228:32 | Call to read-host | test.ps1:228:5:228:6 | o | provenance | Src:MaD:0  |
-| test.ps1:239:5:239:10 | input | test.ps1:240:5:240:21 | env:bar | provenance |  |
-| test.ps1:239:5:239:10 | input | test.ps1:240:5:240:21 | env:bar | provenance |  |
-| test.ps1:239:14:239:36 | Call to read-host | test.ps1:239:5:239:10 | input | provenance | Src:MaD:0  |
-| test.ps1:239:14:239:36 | Call to read-host | test.ps1:239:5:239:10 | input | provenance | Src:MaD:0  |
-| test.ps1:240:5:240:21 | env:bar | test.ps1:242:5:242:6 | y | provenance |  |
-| test.ps1:242:5:242:6 | y | test.ps1:243:7:243:10 | $y | provenance |  |
+| test.ps1:245:5:245:6 | o | test.ps1:248:7:248:10 | $o | provenance |  |
+| test.ps1:245:10:245:32 | Call to read-host | test.ps1:245:5:245:6 | o | provenance | Src:MaD:0  |
+| test.ps1:256:5:256:10 | input | test.ps1:257:5:257:21 | env:bar | provenance |  |
+| test.ps1:256:5:256:10 | input | test.ps1:257:5:257:21 | env:bar | provenance |  |
+| test.ps1:256:14:256:36 | Call to read-host | test.ps1:256:5:256:10 | input | provenance | Src:MaD:0  |
+| test.ps1:256:14:256:36 | Call to read-host | test.ps1:256:5:256:10 | input | provenance | Src:MaD:0  |
+| test.ps1:257:5:257:21 | env:bar | test.ps1:259:5:259:6 | y | provenance |  |
+| test.ps1:259:5:259:6 | y | test.ps1:260:7:260:10 | $y | provenance |  |
 nodes
 | test.ps1:3:11:3:20 | userinput | semmle.label | userinput |
 | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
@@ -133,15 +133,15 @@ nodes
 | test.ps1:185:42:185:47 | input | semmle.label | input |
 | test.ps1:186:58:186:63 | input | semmle.label | input |
 | test.ps1:187:41:187:46 | input | semmle.label | input |
-| test.ps1:228:5:228:6 | o | semmle.label | o |
-| test.ps1:228:10:228:32 | Call to read-host | semmle.label | Call to read-host |
-| test.ps1:231:7:231:10 | $o | semmle.label | $o |
-| test.ps1:239:5:239:10 | input | semmle.label | input |
-| test.ps1:239:5:239:10 | input | semmle.label | input |
-| test.ps1:239:14:239:36 | Call to read-host | semmle.label | Call to read-host |
-| test.ps1:240:5:240:21 | env:bar | semmle.label | env:bar |
-| test.ps1:242:5:242:6 | y | semmle.label | y |
-| test.ps1:243:7:243:10 | $y | semmle.label | $y |
+| test.ps1:245:5:245:6 | o | semmle.label | o |
+| test.ps1:245:10:245:32 | Call to read-host | semmle.label | Call to read-host |
+| test.ps1:248:7:248:10 | $o | semmle.label | $o |
+| test.ps1:256:5:256:10 | input | semmle.label | input |
+| test.ps1:256:5:256:10 | input | semmle.label | input |
+| test.ps1:256:14:256:36 | Call to read-host | semmle.label | Call to read-host |
+| test.ps1:257:5:257:21 | env:bar | semmle.label | env:bar |
+| test.ps1:259:5:259:6 | y | semmle.label | y |
+| test.ps1:260:7:260:10 | $y | semmle.label | $y |
 subpaths
 #select
 | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
@@ -164,5 +164,5 @@ subpaths
 | test.ps1:147:63:147:72 | UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:147:63:147:72 | UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
 | test.ps1:154:23:154:52 | Get-Process -Name $UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:154:23:154:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
 | test.ps1:160:29:160:38 | UserInput | test.ps1:164:10:164:32 | Call to read-host | test.ps1:160:29:160:38 | UserInput | This command depends on a $@. | test.ps1:164:10:164:32 | Call to read-host | user-provided value |
-| test.ps1:231:7:231:10 | $o | test.ps1:228:10:228:32 | Call to read-host | test.ps1:231:7:231:10 | $o | This command depends on a $@. | test.ps1:228:10:228:32 | Call to read-host | user-provided value |
-| test.ps1:243:7:243:10 | $y | test.ps1:239:14:239:36 | Call to read-host | test.ps1:243:7:243:10 | $y | This command depends on a $@. | test.ps1:239:14:239:36 | Call to read-host | user-provided value |
+| test.ps1:248:7:248:10 | $o | test.ps1:245:10:245:32 | Call to read-host | test.ps1:248:7:248:10 | $o | This command depends on a $@. | test.ps1:245:10:245:32 | Call to read-host | user-provided value |
+| test.ps1:260:7:260:10 | $y | test.ps1:256:14:256:36 | Call to read-host | test.ps1:260:7:260:10 | $y | This command depends on a $@. | test.ps1:256:14:256:36 | Call to read-host | user-provided value |
diff --git a/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1 b/powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1
@@ -218,10 +218,27 @@ function Invoke-InvokeExpressionInjectionSafe4
     Invoke-Expression "Get-Process -Name $UserInputClean"
 }
 
+#ValidatePattern Attribute
+function Invoke-InvokeExpressionInjectionSafe5
+{
+    param(
+        [ValidateScript({
+            if ($_ -eq "GoodValue") {
+                $true
+            } else {
+                throw "$_ is invalid."
+            }
+        })]
+        $UserInput
+    )
+    Invoke-Expression "Get-Process -Name $UserInput"
+}
+
 Invoke-InvokeExpressionInjectionSafe1 -UserInput $input 
 Invoke-InvokeExpressionInjectionSafe2 -UserInput $input 
 Invoke-InvokeExpressionInjectionSafe3 -UserInput $input 
 Invoke-InvokeExpressionInjectionSafe4 -UserInput $input 
+Invoke-InvokeExpressionInjectionSafe5 -UserInput $input 
 
 function false-positive-in-call-operator($d)
 {
