This topic contains 4 replies, has 3 voices, and was last updated by
April 11, 2016 at 10:59 am #37527ParticipantPoints: 0Rank: Member
I have a few build scripts that call non-powershell EXEs to do work simply because of the lack of cmdlets available and my unwillingness to reverse engineer exactly what the supplied command line programs do. I tend to call them using invoke-expression after building the exact syntax in a variable. So for example, a very little snippet:
$cmd = 'certutil.exe -setreg CA\CRLPublicationURLs "1:'+$env:SystemRoot+'\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:http://'+$FQDN+'/pki/%3%8%9.crl"' Invoke-Expression $cmd | Write-Verbose
I've noticed PSScriptAnalyzer really doesn't like me using Invoke-Expression like ... at all. So while I correct most of the recommendations this is one I've ignored over time.
What is the best -practice reasoning for avoiding invoke-expression? Is it because of a code-injection risk? I think the context would help me to determine under which cases I should indeed go down the path of making my own tools vs. saying "meh, for this scenario it's fine".
April 11, 2016 at 11:07 am #37528MemberPoints: 0Rank: Member
Yes, Invoke-Expression opens you up to code injection attacks. Even when calling an external command like certutil.exe, you don't need to use Invoke-Expression; this is safe, and accomplishes the same thing:
certutil.exe -setreg CA\CRLPublicationURLs "1:$env:SystemRoot\system32\CertSrv\CertEnroll\%3%8%9.crl\n2:http://$FQDN/pki/%3%8%9.crl" | Write-Verbose
April 11, 2016 at 11:11 am #37529MemberPoints: 0Rank: Member
That said, if you completely control the variables that are being used to construct your command (no outside input at all), then there is not really any risk involved. However, here's an example of what might happen if $FQDN were loaded up from some potentially untrusted source (registry key, config file, whatever):
$FQDN = '" > $null 2>&1; Write-Host -ForegroundColor Green "gotcha!"; #'
April 14, 2016 at 3:07 pm #37793ParticipantPoints: 0Rank: Member
I never responded to this but thank you: I guess I merely assumed cmd/DOS based programs would not integrate that seamlessly into PowerShell so the "correct" way to do it was to wrap the command into an invoke.
April 15, 2016 at 3:20 am #37834ParticipantPoints: 21Rank: Member
A good overview of running executables is available here: http://social.technet.microsoft.com/wiki/contents/articles/7703.powershell-running-executables.aspx
Worth checking out depending on your needs.
The topic ‘psscriptanalyzer feels invoke-expression is bad.’ is closed to new replies.