build(analyzers): vendor InjectionHunter for PowerShell injection SAST#20
Closed
NWarila wants to merge 1 commit into
Closed
build(analyzers): vendor InjectionHunter for PowerShell injection SAST#20NWarila wants to merge 1 commit into
NWarila wants to merge 1 commit into
Conversation
Vendor Microsoft/Lee Holmes' InjectionHunter ruleset (PowerShell Gallery v1.0.0, frozen since 2017) under analyzers/InjectionHunter/ and wire it into the house PSScriptAnalyzer config via CustomRulePath. It taint-tracks untrusted input into execution contexts (Invoke-Expression, Add-Type, dynamic member / method / property access, cmd/powershell command injection, unsafe escaping) -- a defect class the built-in rules do not catch. The module is pinned, not installed live: InjectionHunter.psd1 and .psm1 are committed byte-identical to the Gallery package (SHA-256 recorded in VENDORED.md), marked -text in .gitattributes so EOL normalization cannot alter the bytes, and allowlisted in the deny-all .gitignore. VENDORED.md records the source, version, GUID, file hashes, the pre-vendoring audit (eight passive AST rule functions; no install logic, network, or obfuscation), and the license status. The CI analyze step excludes the vendored directory from its own lint target set (third-party upstream, not restyled to house rules) while still loading it as a rule provider. tests/InjectionHunter.Tests.ps1 proves the ruleset is loaded through the settings file and fires on Invoke-Expression and Add-Type fixtures while staying clean on safe idiom. Wiring InjectionHunter surfaced three InjectionRisk.UnsafeEscaping false positives in analyzers/HouseRules.psm1, all from benign empty-string -replace operands (stripping scope and namespace prefixes from AST type names). They are resolved by writing the empty replacement as the house-idiomatic [System.String]::Empty -- behavior-identical, no logic change -- which keeps the rule fully active everywhere rather than excluding it.
Owner
Author
|
Closing unmerged — decision to not adopt InjectionHunter. The implementation here is clean and was fully audited (vendored .psm1/.psd1 verified byte-identical to PowerShell Gallery v1.0.0; passive AST ruleset with no hidden behavior; CustomRulePath wiring correct; analyze 0 findings; Pester 37/0 at 93.62%; signed Conventional Commit; all CI green). The drop is strategic, not a quality issue:
May be revisited per-repo if a future repo gains real dynamic-execution surface. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Vendor Microsoft/Lee Holmes' InjectionHunter ruleset (PowerShell Gallery
v1.0.0, frozen since 2017) underanalyzers/InjectionHunter/and wire it into the house PSScriptAnalyzer config viaCustomRulePath. It taint-tracks untrusted input into execution contexts (Invoke-Expression,Add-Type, dynamic member/method/property access,cmd/powershellcommand injection, unsafe escaping) — a defect class the built-in rules (e.g.PSAvoidUsingInvokeExpression) do not catch.How
InjectionHunter.psd1+.psm1are committed byte-identical to the Gallery package (SHA-256 inVENDORED.md), marked-textin.gitattributesso EOL normalization cannot alter the bytes (the.psm1is CRLF + signed; the.psd1is UTF-16), and allowlisted in the deny-all.gitignore. Only the manifest + module are vendored (not the.cat/upstream tests).VENDORED.md): eight passive AST rule functions; no install logic, no network, no filesystem writes, no obfuscation.CustomRulePath += './analyzers/InjectionHunter/InjectionHunter.psd1';IncludeDefaultRules/IncludeRules/ExcludeRules/Rulesunchanged (IH rules are additive).tests/InjectionHunter.Tests.ps1proves the ruleset is loaded through the settings file and fires onInvoke-ExpressionandAdd-Typefixtures while staying clean on safe idiom.License. InjectionHunter ships no open-source license. The Gallery declares no
LicenseUri(manifest copyright: "(c) Microsoft Corporation 2016. All rights reserved."); the canonicalgithub.com/PowerShell/InjectionHunterrepo is gone (404) and the only fork is unlicensed. I did not fabricate an MITLICENSE;VENDORED.mdrecords the real status and preserves Microsoft's attribution. Whether to vendor (vs. restore at build time) is an owner call.3 false positives fixed in
HouseRules.psm1. Wiring IH surfaced threeInjectionRisk.UnsafeEscapingfindings inanalyzers/HouseRules.psm1, all benign empty-string-replaceoperands (stripping scope/namespace prefixes from AST type names — no untrusted input, no execution). I resolved them by writing the empty replacement as[System.String]::Empty(behavior-identical, house-idiomatic, no logic change), which keeps the rule fully active everywhere rather than blanket-excluding it. The scaffoldsrc/sources were already clean.Verify
Invoke-ScriptAnalyzer(CI command, vendored dir excluded) → 0 findings on own sources. Pester suite 37/37, coverage 93.62% / 80%. The 3 self-tests pass (fires on injection, clean on safe idiom). actionlint runs in CI.Next step: IH-2 — mirror this byte-identical into
windows-certificate-store-exporter(and any other template consumers), ensuring itssrc/**is 0-findings. Template merge-authority needs owner confirmation.Do not merge — pending audit.