-
Notifications
You must be signed in to change notification settings - Fork 375
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add AvoidUsingAllowUnencryptedAuthentication (#1857)
* Add AvoidUsingAllowUnencryptedAuthentication rule * Add AvoidUsingAllowUnencryptedAuthentication docs and tests * Update docs/Rules/AvoidUsingAllowUnencryptedAuthentication.md Co-authored-by: Christoph Bergmeister <c.bergmeister@gmail.com> * Fix code review suggestions * Fix md code styling * bump rule count in tests again * Update docs/Rules/AvoidUsingAllowUnencryptedAuthentication.md --------- Co-authored-by: Christoph Bergmeister <c.bergmeister@gmail.com> Co-authored-by: Christoph Bergmeister <c.bergmeister2@shell.com>
- Loading branch information
3 people
authored
Feb 13, 2024
1 parent
c06e005
commit c085ee3
Showing
6 changed files
with
204 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Collections.Generic; | ||
| using System.Linq; | ||
| using System.Management.Automation.Language; | ||
| using Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic; | ||
| #if !CORECLR | ||
| using System.ComponentModel.Composition; | ||
| #endif | ||
| using System.Globalization; | ||
|
|
||
| namespace Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules | ||
| { | ||
| /// <summary> | ||
| /// AvoidUsingAllowUnencryptedAuthentication: Avoid sending credentials and secrets over unencrypted connections. | ||
| /// </summary> | ||
| #if !CORECLR | ||
| [Export(typeof(IScriptRule))] | ||
| #endif | ||
| public class AvoidUsingAllowUnencryptedAuthentication : AvoidParameterGeneric | ||
| { | ||
| /// <summary> | ||
| /// Condition on the cmdlet that must be satisfied for the error to be raised | ||
| /// </summary> | ||
| /// <param name="CmdAst"></param> | ||
| /// <returns></returns> | ||
| public override bool CommandCondition(CommandAst CmdAst) | ||
| { | ||
| return true; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Condition on the parameter that must be satisfied for the error to be raised. | ||
| /// </summary> | ||
| /// <param name="CmdAst"></param> | ||
| /// <param name="CeAst"></param> | ||
| /// <returns></returns> | ||
| public override bool ParameterCondition(CommandAst CmdAst, CommandElementAst CeAst) | ||
| { | ||
| return CeAst is CommandParameterAst && String.Equals((CeAst as CommandParameterAst).ParameterName, "AllowUnencryptedAuthentication", StringComparison.OrdinalIgnoreCase); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Retrieves the error message | ||
| /// </summary> | ||
| /// <param name="FileName"></param> | ||
| /// <param name="CmdAst"></param> | ||
| /// <returns></returns> | ||
| public override string GetError(string fileName, CommandAst cmdAst) | ||
| { | ||
| return String.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationError); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetName: Retrieves the name of this rule. | ||
| /// </summary> | ||
| /// <returns>The name of this rule</returns> | ||
| public override string GetName() | ||
| { | ||
| return string.Format(CultureInfo.CurrentCulture, Strings.NameSpaceFormat, GetSourceName(), Strings.AvoidUsingAllowUnencryptedAuthenticationName); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetCommonName: Retrieves the common name of this rule. | ||
| /// </summary> | ||
| /// <returns>The common name of this rule</returns> | ||
| public override string GetCommonName() | ||
| { | ||
| return string.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationCommonName); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetDescription: Retrieves the description of this rule. | ||
| /// </summary> | ||
| /// <returns>The description of this rule</returns> | ||
| public override string GetDescription() | ||
| { | ||
| return string.Format(CultureInfo.CurrentCulture, Strings.AvoidUsingAllowUnencryptedAuthenticationDescription); | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetSourceType: Retrieves the type of the rule: builtin, managed or module. | ||
| /// </summary> | ||
| public override SourceType GetSourceType() | ||
| { | ||
| return SourceType.Builtin; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetSeverity: Retrieves the severity of the rule: error, warning or information. | ||
| /// </summary> | ||
| /// <returns></returns> | ||
| public override RuleSeverity GetSeverity() | ||
| { | ||
| return RuleSeverity.Warning; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// DiagnosticSeverity: Retrieves the severity of the rule of type DiagnosticSeverity: error, warning or information. | ||
| /// </summary> | ||
| /// <returns></returns> | ||
| public override DiagnosticSeverity GetDiagnosticSeverity() | ||
| { | ||
| return DiagnosticSeverity.Warning; | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// GetSourceName: Retrieves the module/assembly name the rule is from. | ||
| /// </summary> | ||
| public override string GetSourceName() | ||
| { | ||
| return string.Format(CultureInfo.CurrentCulture, Strings.SourceName); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
38 changes: 38 additions & 0 deletions
38
Tests/Rules/AvoidUsingAllowUnencryptedAuthentication.tests.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # Copyright (c) Microsoft Corporation. All rights reserved. | ||
| # Licensed under the MIT License. | ||
|
|
||
| BeforeAll { | ||
| $settings = @{ | ||
| IncludeRules = @('PSAvoidUsingAllowUnencryptedAuthentication') | ||
| Rules = @{ | ||
| PSAvoidUsingAllowUnencryptedAuthentication = @{ | ||
| Enable = $true | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| Describe "AvoidUsingAllowUnencryptedAuthentication" { | ||
| Context "When there are violations" { | ||
| It "detects unencrypted authentication violations" { | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1 | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-RestMethod foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1 | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'iwr foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1 | ||
| } | ||
|
|
||
| It "detects arbitrary cmdlets" { | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-CustomWebRequest foo -AllowUnencryptedAuthentication' -Settings $settings).Count | Should -Be 1 | ||
| } | ||
|
|
||
| } | ||
|
|
||
| Context "When there are no violations" { | ||
| It "does not flag safe usage" { | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo' -Settings $settings).Count | Should -Be 0 | ||
| } | ||
|
|
||
| It "does not flag cases with unrelated parameters" { | ||
| (Invoke-ScriptAnalyzer -ScriptDefinition 'Invoke-WebRequest foo -Method Get' -Settings $settings).Count | Should -Be 0 | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| --- | ||
| description: Avoid sending credentials and secrets over unencrypted connections | ||
| ms.custom: PSSA v1.22.0 | ||
| ms.date: 11/06/2022 | ||
| ms.topic: reference | ||
| title: AvoidUsingAllowUnencryptedAuthentication | ||
| --- | ||
| # AvoidUsingAllowUnencryptedAuthentication | ||
|
|
||
| **Severity Level: Warning** | ||
|
|
||
| ## Description | ||
|
|
||
| Avoid using the `AllowUnencryptedAuthentication` switch on `Invoke-WebRequest`, `Invoke-RestMethod`, and other webrequest cmdlets, which sends credentials and secrets over unencrypted connections. | ||
| This should be avoided except for compatability with legacy systems. | ||
|
|
||
| For more details, see the documentation warning [here](https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/invoke-webrequest#-allowunencryptedauthentication). | ||
|
|
||
| ## How | ||
|
|
||
| Avoid using the `AllowUnencryptedAuthentication` switch. | ||
|
|
||
| ## Example 1 | ||
|
|
||
| ### Wrong | ||
|
|
||
| ```powershell | ||
| Invoke-WebRequest foo -AllowUnencryptedAuthentication | ||
| ``` | ||
|
|
||
| ### Correct | ||
|
|
||
| ```powershell | ||
| Invoke-WebRequest foo | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters