This document is intended as guidance for how all PowerShell scripts should be written for security, functionality, and consistency.
To help enforce these rules during your dev process, consider using PSScriptAnalyzer. Each of the sections below contains the rule code for enabling the corresponding check in PSScriptAnalyzer where one exists. Additionally, the analyzer is built in as a linter in the PowerShell VSCode extension. We have created a settings file to be used with this linter.
PSScriptAnalyzer Rule: AvoidUsingInvokeExpression
Invoke-Expression and non-parameterized script blocks are both vulnerable to injection.
Invoke-Expression executes a specified string, which is vulnerable to injection attacks. As an example:
$function = "Write-Host"
$argument = "hello; Write-Host injected"
Invoke-Expression "$function $argument"will return:
hello
injectedWhile the following script:
$function = "Write-Host"
$argument = "hello; Write-Host injected"
& $function $argumentwill return:
hello; Write-Host injectedas would be expected.
In general, this guidance can be summarized as don't use Invoke-Expression.
Similarly, the following script block is also vulnerable to injection.
$UserInputVar = "hello; Write-Host injected"
$DynamicScript = "Write-Host $UserInputVar"
$ScriptBlock = [ScriptBlock]::Create($DynamicScript)
Invoke-Command $ScriptBlockThis returns:
hello
injectedWhile this script:
$UserInputVar = "hello; Write-Host injected"
[ScriptBlock]$ScriptBlock = {
Param($SafeUserInput)
Write-Host $SafeUserInput
}
Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList @($UserInputVar)correctly outputs:
hello; Write-Host injectedIn general, this guidance can be summarized as don't use [ScriptBlock]::Create.
When a script/executable is prefixed with an ampersand (&), the command which follows can be in quotation marks or include variables. This is not the case when the ampersand is not included. Thus, we recommend always including an ampersand.
Relatedly, $LASTEXITCODE should always be checked after running an executable to ensure that the script fails (or at least responds appropriately) to the executable failing.
Combining this with the previous piece of advice, the way to call git add . from a script would be:
& git add .
if ($LASTEXITCODE -ne 0) {
# behavior in case of error
}To set it in a PowerShell script, e.g. to ensure a known value at the start of a script, reference the variable in the global scope.
$global:LASTEXITCODE = 0Scripts should always include the following just below the parameter definition block:
Set-StrictMode -Version 2.0
$ErrorActionPreference = "Stop"This will ensure PowerShell uses the proper version and that encountered errors cause the script to fail.
PSScriptAnalyzer Rule: AvoidUsingCmdletAliases
Cmdlet aliases (such as ls for Get-ChildItem and echo for Write-Output) are not universal across all machines and all installs of PowerShell. Furthermore, aliases can cause confusion as the cmdlets frequently behave entirely differently from the commands the aliases are named for, e.g. cmd's dir vs. Get-ChildItem or bash's wget and curl vs. Invoke-WebRequest. Always use the actual cmdlet name.
To determine what cmdlet an alias points to, simply run:
Exceptions: % and ? are aliases for ForEach-Object and Where-Object, respectively. These aliases can be left in code and warnings related to them can be ignored.
Get-Alias $aliase.g.
Get-Alias lsreturns:
CommandType Name Version Source
----------- ---- ------- ------
Alias ls -> Get-ChildItemPSScriptAnalyzer Rule: AvoidUsingWMICmdlet
PowerShell recommends avoiding all the WMI cmdlets (Get-WmiObject, Remove-WmiObject, Invoke-WmiObject, Register-WmiEvent, Set-WmiInstance) and instead using the CIM ones (respectively, Get-CimInstance, Remove-CimInstance, Invoke-CimMethod, Register-CimIndicationEvent, Set-CimInstance).
PSScriptAnalyzer Rule: AvoidUsingPositionalParameters
Positional parameters cause problems for code maintenance, as adding new parameters later down the line can break previous invocations. Instead, parameters should always be called explicitly. Setting:
[CmdletBinding(PositionalBinding=$false)]will force this behavior.
Note: This rule will check for the usage of positional parameters rather than forcing binding to turn them off.
Was this helpful?