Merge pull request #276 from microsoft/powershell-sql-injection-alias-parameter-fp

PS: Also handle `-q` and `-i` arguments in sql injection query

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll

@@ -48,15 +48,19 @@ module SqlInjection {
     override string getSourceType() { result = this.(SourceNode).getSourceType() }
   }
 
+  private string query() { result = ["query", "q"] }
+
+  private string inputfile() { result = ["inputfile", "i"] }
+
   class InvokeSqlCmdSink extends Sink {
     InvokeSqlCmdSink() {
       exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") |
-        this = call.getNamedArgument("query")
+        this = call.getNamedArgument(query())
         or
-        this = call.getNamedArgument("inputfile")
+        this = call.getNamedArgument(inputfile())
         or
-        not call.hasNamedArgument("query") and
-        not call.hasNamedArgument("inputfile") and
+        not call.hasNamedArgument(query()) and
+        not call.hasNamedArgument(inputfile()) and
         this = call.getArgument(0)
         or
         // TODO: Here we really should pick a splat argument, but we don't yet extract whether an

powershell/ql/test/query-tests/security/cwe-089/test.ps1

@@ -107,3 +107,6 @@ function TakesTypedParameters([int]$i, [long]$l, [float]$f, [double]$d, [decimal
 }
 
 TakesTypedParameters $userinput $userinput $userinput $userinput $userinput $userinput $userinput $userinput
+
+$query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'"
+Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM MyTable" # GOOD