From b85c1763540b7d1958d8e7a59d0577d25cce68c7 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:01:25 +0100 Subject: [PATCH 1/6] PS: Add a FP to the sql-injection query. --- .../security/cwe-089/SqlInjection.expected | 14 ++++++++++++++ .../test/query-tests/security/cwe-089/test.ps1 | 16 +++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected index af5d263afa67..464303ff3b7b 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -4,12 +4,18 @@ edges | test.ps1:1:1:1:10 | userinput | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:78:13:78:22 | userinput | provenance | | +| test.ps1:1:1:1:10 | userinput | test.ps1:128:17:128:26 | userinput | provenance | | +| test.ps1:1:1:1:10 | userinput | test.ps1:128:28:128:37 | userinput | provenance | | | test.ps1:1:14:1:45 | Call to read-host | test.ps1:1:1:1:10 | userinput | provenance | Src:MaD:0 | | test.ps1:4:1:4:6 | query | test.ps1:5:72:5:77 | query | provenance | | | test.ps1:8:1:8:6 | query | test.ps1:9:72:9:77 | query | provenance | | | test.ps1:72:1:72:11 | QueryConn2 [element Query] | test.ps1:81:15:81:25 | QueryConn2 | provenance | | | test.ps1:72:15:79:1 | ${...} [element Query] | test.ps1:72:1:72:11 | QueryConn2 [element Query] | provenance | | | test.ps1:78:13:78:22 | userinput | test.ps1:72:15:79:1 | ${...} [element Query] | provenance | | +| test.ps1:118:9:119:54 | validated | test.ps1:124:92:124:101 | validated | provenance | | +| test.ps1:121:9:121:56 | unvalidated | test.ps1:125:92:125:103 | unvalidated | provenance | | +| test.ps1:128:17:128:26 | userinput | test.ps1:118:9:119:54 | validated | provenance | | +| test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance | | nodes | test.ps1:1:1:1:10 | userinput | semmle.label | userinput | | test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host | @@ -23,6 +29,12 @@ nodes | test.ps1:72:15:79:1 | ${...} [element Query] | semmle.label | ${...} [element Query] | | test.ps1:78:13:78:22 | userinput | semmle.label | userinput | | test.ps1:81:15:81:25 | QueryConn2 | semmle.label | QueryConn2 | +| test.ps1:118:9:119:54 | validated | semmle.label | validated | +| test.ps1:121:9:121:56 | unvalidated | semmle.label | unvalidated | +| test.ps1:124:92:124:101 | validated | semmle.label | validated | +| test.ps1:125:92:125:103 | unvalidated | semmle.label | unvalidated | +| test.ps1:128:17:128:26 | userinput | semmle.label | userinput | +| test.ps1:128:28:128:37 | userinput | semmle.label | userinput | subpaths #select | test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | @@ -30,3 +42,5 @@ subpaths | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:81:15:81:25 | QueryConn2 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:81:15:81:25 | QueryConn2 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | +| test.ps1:124:92:124:101 | validated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:124:92:124:101 | validated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | +| test.ps1:125:92:125:103 | unvalidated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:125:92:125:103 | unvalidated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 index a7a7a30da5fb..859a6ff341d1 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 @@ -111,4 +111,18 @@ TakesTypedParameters $userinput $userinput $userinput $userinput $userinput $use $query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM MyTable" # GOOD -Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -InputFile $userinput # GOOD # this is not really what this query is about. \ No newline at end of file +Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -InputFile $userinput # GOOD # this is not really what this query is about. + +function With-Validation() { + param( + [ValidateSet("FirstName","LastName")] + [parameter(Mandatory=$true)][string]$validated, + + [parameter(Mandatory=$true)][string]$unvalidated + ) + + Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $validated # GOOD [FALSE POSITIVE] + Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $unvalidated # BAD +} + +With-Validation $userinput $userinput \ No newline at end of file From 7f9930e19f249e6e870b0c5b86f0b2f0f68c0c4e Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:01:50 +0100 Subject: [PATCH 2/6] PS: Add a barrier to block flow on validated parameters. --- .../security/SqlInjectionCustomizations.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll index 37036d147721..3568d0f7990f 100644 --- a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll +++ b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll @@ -106,4 +106,15 @@ module SqlInjection { } class TypeSanitizer extends Sanitizer instanceof SimpleTypeSanitizer { } + + class ValidateAttributeSanitizer extends Sanitizer { + ValidateAttributeSanitizer() { + exists(Function f, Attribute a, Parameter p | + p = f.getAParameter() and + p.getAnAttribute() = a and + a.getAName() = ["ValidateScript", "ValidateSet", "ValidatePattern"] and + this.asParameter() = p + ) + } + } } From 9af130627dafcc1ac79f03fa76e2bd42e9c625dc Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:03:38 +0100 Subject: [PATCH 3/6] PS: Accept test changes. --- .../query-tests/security/cwe-089/SqlInjection.expected | 7 ------- powershell/ql/test/query-tests/security/cwe-089/test.ps1 | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected index 464303ff3b7b..b99d45072abb 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -4,7 +4,6 @@ edges | test.ps1:1:1:1:10 | userinput | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:78:13:78:22 | userinput | provenance | | -| test.ps1:1:1:1:10 | userinput | test.ps1:128:17:128:26 | userinput | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:128:28:128:37 | userinput | provenance | | | test.ps1:1:14:1:45 | Call to read-host | test.ps1:1:1:1:10 | userinput | provenance | Src:MaD:0 | | test.ps1:4:1:4:6 | query | test.ps1:5:72:5:77 | query | provenance | | @@ -12,9 +11,7 @@ edges | test.ps1:72:1:72:11 | QueryConn2 [element Query] | test.ps1:81:15:81:25 | QueryConn2 | provenance | | | test.ps1:72:15:79:1 | ${...} [element Query] | test.ps1:72:1:72:11 | QueryConn2 [element Query] | provenance | | | test.ps1:78:13:78:22 | userinput | test.ps1:72:15:79:1 | ${...} [element Query] | provenance | | -| test.ps1:118:9:119:54 | validated | test.ps1:124:92:124:101 | validated | provenance | | | test.ps1:121:9:121:56 | unvalidated | test.ps1:125:92:125:103 | unvalidated | provenance | | -| test.ps1:128:17:128:26 | userinput | test.ps1:118:9:119:54 | validated | provenance | | | test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance | | nodes | test.ps1:1:1:1:10 | userinput | semmle.label | userinput | @@ -29,11 +26,8 @@ nodes | test.ps1:72:15:79:1 | ${...} [element Query] | semmle.label | ${...} [element Query] | | test.ps1:78:13:78:22 | userinput | semmle.label | userinput | | test.ps1:81:15:81:25 | QueryConn2 | semmle.label | QueryConn2 | -| test.ps1:118:9:119:54 | validated | semmle.label | validated | | test.ps1:121:9:121:56 | unvalidated | semmle.label | unvalidated | -| test.ps1:124:92:124:101 | validated | semmle.label | validated | | test.ps1:125:92:125:103 | unvalidated | semmle.label | unvalidated | -| test.ps1:128:17:128:26 | userinput | semmle.label | userinput | | test.ps1:128:28:128:37 | userinput | semmle.label | userinput | subpaths #select @@ -42,5 +36,4 @@ subpaths | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:81:15:81:25 | QueryConn2 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:81:15:81:25 | QueryConn2 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | -| test.ps1:124:92:124:101 | validated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:124:92:124:101 | validated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:125:92:125:103 | unvalidated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:125:92:125:103 | unvalidated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 index 859a6ff341d1..6bd651df5ced 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 @@ -121,7 +121,7 @@ function With-Validation() { [parameter(Mandatory=$true)][string]$unvalidated ) - Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $validated # GOOD [FALSE POSITIVE] + Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $validated # GOOD Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $unvalidated # BAD } From e8df3cc62a6d43acef4a86acd10bd2eb63c1a333 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:12:43 +0100 Subject: [PATCH 4/6] PS: Add another FP test. --- .../security/cwe-089/SqlInjection.expected | 9 +++++++++ .../ql/test/query-tests/security/cwe-089/test.ps1 | 13 ++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected index b99d45072abb..9a3a7ff1ba5d 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -5,6 +5,7 @@ edges | test.ps1:1:1:1:10 | userinput | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:78:13:78:22 | userinput | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:128:28:128:37 | userinput | provenance | | +| test.ps1:1:1:1:10 | userinput | test.ps1:136:17:136:26 | userinput | provenance | | | test.ps1:1:14:1:45 | Call to read-host | test.ps1:1:1:1:10 | userinput | provenance | Src:MaD:0 | | test.ps1:4:1:4:6 | query | test.ps1:5:72:5:77 | query | provenance | | | test.ps1:8:1:8:6 | query | test.ps1:9:72:9:77 | query | provenance | | @@ -13,6 +14,9 @@ edges | test.ps1:78:13:78:22 | userinput | test.ps1:72:15:79:1 | ${...} [element Query] | provenance | | | test.ps1:121:9:121:56 | unvalidated | test.ps1:125:92:125:103 | unvalidated | provenance | | | test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance | | +| test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | test.ps1:139:15:139:25 | QueryConn3 | provenance | | +| test.ps1:130:15:137:1 | ${...} [element inputfile] | test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | provenance | | +| test.ps1:136:17:136:26 | userinput | test.ps1:130:15:137:1 | ${...} [element inputfile] | provenance | | nodes | test.ps1:1:1:1:10 | userinput | semmle.label | userinput | | test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host | @@ -29,6 +33,10 @@ nodes | test.ps1:121:9:121:56 | unvalidated | semmle.label | unvalidated | | test.ps1:125:92:125:103 | unvalidated | semmle.label | unvalidated | | test.ps1:128:28:128:37 | userinput | semmle.label | userinput | +| test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | semmle.label | QueryConn3 [element inputfile] | +| test.ps1:130:15:137:1 | ${...} [element inputfile] | semmle.label | ${...} [element inputfile] | +| test.ps1:136:17:136:26 | userinput | semmle.label | userinput | +| test.ps1:139:15:139:25 | QueryConn3 | semmle.label | QueryConn3 | subpaths #select | test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | @@ -37,3 +45,4 @@ subpaths | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:81:15:81:25 | QueryConn2 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:81:15:81:25 | QueryConn2 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:125:92:125:103 | unvalidated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:125:92:125:103 | unvalidated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | +| test.ps1:139:15:139:25 | QueryConn3 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:139:15:139:25 | QueryConn3 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 index 6bd651df5ced..22097f196845 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 @@ -125,4 +125,15 @@ function With-Validation() { Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q $unvalidated # BAD } -With-Validation $userinput $userinput \ No newline at end of file +With-Validation $userinput $userinput + +$QueryConn3 = @{ + Database = "MyDB" + ServerInstance = "MyServer" + Username = "MyUserName" + Password = "MyPassword" + ConnectionTimeout = 0 + inputfile = $userinput +} + +Invoke-Sqlcmd @QueryConn3 # GOOD [FALSE POSITIVE] \ No newline at end of file From a512b5a2d0a57acc453df552a043c2e2d0da6cc5 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:14:48 +0100 Subject: [PATCH 5/6] PS: Also use the 'query' predicate for implicit reads. --- .../code/powershell/security/SqlInjectionCustomizations.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll index 3568d0f7990f..1ed256440c81 100644 --- a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll +++ b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll @@ -73,7 +73,7 @@ module SqlInjection { override predicate allowImplicitRead(DataFlow::ContentSet cs) { cs.getAStoreContent().(DataFlow::Content::KnownKeyContent).getIndex().asString().toLowerCase() = - ["query", "inputfile"] + query() } } From 6a95515da1e89b18485d81f71b7b7a1c2fb05774 Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Thu, 11 Sep 2025 17:15:07 +0100 Subject: [PATCH 6/6] PS: Accept test changes. --- .../query-tests/security/cwe-089/SqlInjection.expected | 9 --------- powershell/ql/test/query-tests/security/cwe-089/test.ps1 | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected index 9a3a7ff1ba5d..b99d45072abb 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected +++ b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected @@ -5,7 +5,6 @@ edges | test.ps1:1:1:1:10 | userinput | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:78:13:78:22 | userinput | provenance | | | test.ps1:1:1:1:10 | userinput | test.ps1:128:28:128:37 | userinput | provenance | | -| test.ps1:1:1:1:10 | userinput | test.ps1:136:17:136:26 | userinput | provenance | | | test.ps1:1:14:1:45 | Call to read-host | test.ps1:1:1:1:10 | userinput | provenance | Src:MaD:0 | | test.ps1:4:1:4:6 | query | test.ps1:5:72:5:77 | query | provenance | | | test.ps1:8:1:8:6 | query | test.ps1:9:72:9:77 | query | provenance | | @@ -14,9 +13,6 @@ edges | test.ps1:78:13:78:22 | userinput | test.ps1:72:15:79:1 | ${...} [element Query] | provenance | | | test.ps1:121:9:121:56 | unvalidated | test.ps1:125:92:125:103 | unvalidated | provenance | | | test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance | | -| test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | test.ps1:139:15:139:25 | QueryConn3 | provenance | | -| test.ps1:130:15:137:1 | ${...} [element inputfile] | test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | provenance | | -| test.ps1:136:17:136:26 | userinput | test.ps1:130:15:137:1 | ${...} [element inputfile] | provenance | | nodes | test.ps1:1:1:1:10 | userinput | semmle.label | userinput | | test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host | @@ -33,10 +29,6 @@ nodes | test.ps1:121:9:121:56 | unvalidated | semmle.label | unvalidated | | test.ps1:125:92:125:103 | unvalidated | semmle.label | unvalidated | | test.ps1:128:28:128:37 | userinput | semmle.label | userinput | -| test.ps1:130:1:130:11 | QueryConn3 [element inputfile] | semmle.label | QueryConn3 [element inputfile] | -| test.ps1:130:15:137:1 | ${...} [element inputfile] | semmle.label | ${...} [element inputfile] | -| test.ps1:136:17:136:26 | userinput | semmle.label | userinput | -| test.ps1:139:15:139:25 | QueryConn3 | semmle.label | QueryConn3 | subpaths #select | test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | @@ -45,4 +37,3 @@ subpaths | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:81:15:81:25 | QueryConn2 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:81:15:81:25 | QueryConn2 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | | test.ps1:125:92:125:103 | unvalidated | test.ps1:1:14:1:45 | Call to read-host | test.ps1:125:92:125:103 | unvalidated | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | -| test.ps1:139:15:139:25 | QueryConn3 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:139:15:139:25 | QueryConn3 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin | diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 index 22097f196845..b5c4527153e5 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 @@ -136,4 +136,4 @@ $QueryConn3 = @{ inputfile = $userinput } -Invoke-Sqlcmd @QueryConn3 # GOOD [FALSE POSITIVE] \ No newline at end of file +Invoke-Sqlcmd @QueryConn3 # GOOD \ No newline at end of file