* AST-only check: type literals outside Microsoft's ConstrainedLanguage * allowlist. CLM blocks all .NET type access except ~90 primitives/attributes * Microsoft considers safe for untrusted code. We trust that list as the * "safe" boundary — anything outside it (Reflection.Assembly, IO.Pipes, *
( parsed: ParsedPowerShellCommand, )
| 799 | * like [int]$x have no member invocation and only hit this check. |
| 800 | */ |
| 801 | function checkTypeLiterals( |
| 802 | parsed: ParsedPowerShellCommand, |
| 803 | ): PowerShellSecurityResult { |
| 804 | for (const t of parsed.typeLiterals ?? []) { |
| 805 | if (!isClmAllowedType(t)) { |
| 806 | return { |
| 807 | behavior: 'ask', |
| 808 | message: `Command uses .NET type [${t}] outside the ConstrainedLanguage allowlist`, |
| 809 | } |
| 810 | } |
| 811 | } |
| 812 | return { behavior: 'passthrough' } |
| 813 | } |
| 814 | |
| 815 | /** |
| 816 | * Invoke-Item (alias ii) opens a file with its default handler (ShellExecute |
nothing calls this directly
no test coverage detected