build(analyzers): vendor InjectionHunter for PowerShell injection SAST#21
Closed
NWarila wants to merge 1 commit into
Closed
build(analyzers): vendor InjectionHunter for PowerShell injection SAST#21NWarila wants to merge 1 commit into
NWarila wants to merge 1 commit into
Conversation
Vendor Microsoft/Lee Holmes' InjectionHunter ruleset (PowerShell Gallery v1.0.0, frozen since 2017) under analyzers/InjectionHunter/ and wire it into the house PSScriptAnalyzer config via CustomRulePath. It taint-tracks untrusted input into execution contexts (Invoke-Expression, Add-Type, dynamic member / method / property access, cmd/powershell command injection, unsafe escaping) -- a defect class the built-in rules do not catch. The module is pinned, not installed live: InjectionHunter.psd1 and .psm1 are committed byte-identical to the Gallery package (SHA-256 recorded in VENDORED.md), marked -text in .gitattributes so EOL normalization cannot alter the bytes, and allowlisted in the deny-all .gitignore. VENDORED.md records the source, version, GUID, file hashes, the pre-vendoring audit (eight passive AST rule functions; no install logic, network, or obfuscation), and the license status. The CI analyze step excludes the vendored directory from its own lint target set (third-party upstream, not restyled to house rules) while still loading it as a rule provider. tests/InjectionHunter.Tests.ps1 proves the ruleset is loaded through the settings file and fires on Invoke-Expression and Add-Type fixtures while staying clean on safe idiom. Wiring InjectionHunter surfaced three InjectionRisk.UnsafeEscaping false positives in analyzers/HouseRules.psm1, all from benign empty-string -replace operands (stripping scope and namespace prefixes from AST type names). They are resolved by writing the empty replacement as the house-idiomatic [System.String]::Empty -- behavior-identical, no logic change -- which keeps the rule fully active everywhere rather than excluding it.
Owner
Author
|
Closing: this is the dropped InjectionHunter work (no OSS license; decided against in #20). Not merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
analyzers/InjectionHunter/and records source, hashes, audit notes, and license status inVENDORED.md.PSScriptAnalyzerSettings.psd1while excluding the third-party files from the repo's own lint target set.Invoke-Expression/Add-Typefixtures.-replaceoperands inHouseRules.psm1as[System.String]::Emptyto keep InjectionHunter active without false positives.Validation
powershell.exe -NoLogo -NoProfile -File tests\Invoke-Tests.ps1 -MinimumCoverage 80— 37 passed, 0 failed, 93.62% coverage.origin/main(590bd5f7e3470f9e7c3970ddc7f5cebcdbe3ae53).Notes
pwshandactionlintare not installed in this Windows environment; PR CI will run the PowerShell 7 and actionlint paths.VENDORED.mdflags InjectionHunter's unverified redistribution terms explicitly for owner review.Stop line: did not merge.