From df3551eda2dce113e1eecf8a3ff03654c9bf24a4 Mon Sep 17 00:00:00 2001 From: Christoph Bergmeister Date: Tue, 13 Feb 2024 18:14:28 +0000 Subject: [PATCH] AvoidUsingPositionalParameter: Check if command has parameters to avoid having az in default CommandAllowList (#1850) * AvoidUsingPositionalParameter : Check if command has parameters * fix syntax * remove unneeded test * Update Rules/AvoidPositionalParameters.cs --- Engine/Helper.cs | 5 +++-- Rules/AvoidPositionalParameters.cs | 7 +++++-- Rules/UseCmdletCorrectly.cs | 2 +- docs/Rules/AvoidUsingPositionalParameters.md | 6 +++--- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/Engine/Helper.cs b/Engine/Helper.cs index 528a3fe88..ded37b011 100644 --- a/Engine/Helper.cs +++ b/Engine/Helper.cs @@ -609,14 +609,15 @@ public bool HasSplattedVariable(CommandAst cmdAst) /// /// /// - public bool IsKnownCmdletFunctionOrExternalScript(CommandAst cmdAst) + public bool IsKnownCmdletFunctionOrExternalScript(CommandAst cmdAst, out CommandInfo commandInfo) { + commandInfo = null; if (cmdAst == null) { return false; } - var commandInfo = GetCommandInfo(cmdAst.GetCommandName()); + commandInfo = GetCommandInfo(cmdAst.GetCommandName()); if (commandInfo == null) { return false; diff --git a/Rules/AvoidPositionalParameters.cs b/Rules/AvoidPositionalParameters.cs index 3c6ec9626..2071baebd 100644 --- a/Rules/AvoidPositionalParameters.cs +++ b/Rules/AvoidPositionalParameters.cs @@ -6,6 +6,7 @@ using System.Management.Automation.Language; using Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic; using System.Linq; +using System.Management.Automation; #if !CORECLR using System.ComponentModel.Composition; #endif @@ -21,7 +22,7 @@ namespace Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules #endif public class AvoidPositionalParameters : ConfigurableRule { - [ConfigurableRuleProperty(defaultValue: new string[] { "az" })] + [ConfigurableRuleProperty(defaultValue: new string[] { })] public string[] CommandAllowList { get; set; } public AvoidPositionalParameters() @@ -61,9 +62,11 @@ public override IEnumerable AnalyzeScript(Ast ast, string file // MSDN: CommandAst.GetCommandName Method if (cmdAst.GetCommandName() == null) continue; - if ((Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst) || declaredFunctionNames.Contains(cmdAst.GetCommandName())) && + if ((Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst, out CommandInfo commandInfo) || declaredFunctionNames.Contains(cmdAst.GetCommandName())) && (Helper.Instance.PositionalParameterUsed(cmdAst, true))) { + if (commandInfo?.CommandType == CommandTypes.Application) continue; + PipelineAst parent = cmdAst.Parent as PipelineAst; string commandName = cmdAst.GetCommandName(); diff --git a/Rules/UseCmdletCorrectly.cs b/Rules/UseCmdletCorrectly.cs index 0239d95fc..ccec27e0b 100644 --- a/Rules/UseCmdletCorrectly.cs +++ b/Rules/UseCmdletCorrectly.cs @@ -100,7 +100,7 @@ private bool MandatoryParameterExists(CommandAst cmdAst) } // Positional parameters could be mandatory, so we assume all is well - if (Helper.Instance.PositionalParameterUsed(cmdAst) && Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst)) + if (Helper.Instance.PositionalParameterUsed(cmdAst) && Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst, out _)) { return true; } diff --git a/docs/Rules/AvoidUsingPositionalParameters.md b/docs/Rules/AvoidUsingPositionalParameters.md index 2d1dab690..5d1706a4b 100644 --- a/docs/Rules/AvoidUsingPositionalParameters.md +++ b/docs/Rules/AvoidUsingPositionalParameters.md @@ -25,7 +25,7 @@ supplied. A simple example where the risk of using positional parameters is negl ```powershell Rules = @{ PSAvoidUsingPositionalParameters = @{ - CommandAllowList = 'az', 'Join-Path' + CommandAllowList = 'Join-Path', 'MyCmdletOrScript' Enable = $true } } @@ -33,9 +33,9 @@ Rules = @{ ### Parameters -#### CommandAllowList: string[] (Default value is 'az') +#### CommandAllowList: string[] (Default value is @()') -Commands to be excluded from this rule. `az` is excluded by default because starting with version 2.40.0 the entrypoint of the AZ CLI became an `az.ps1` script but this script does not have any named parameters and just passes them on using `$args` as is to the Python process that it starts, therefore it is still a CLI and not a PowerShell command. +Commands or scripts to be excluded from this rule. #### Enable: bool (Default value is `$true`)