( parsed: ParsedPowerShellCommand, )
| 1726 | */ |
| 1727 | // exported for testing |
| 1728 | export function deriveSecurityFlags( |
| 1729 | parsed: ParsedPowerShellCommand, |
| 1730 | ): SecurityFlags { |
| 1731 | const flags: SecurityFlags = { |
| 1732 | hasSubExpressions: false, |
| 1733 | hasScriptBlocks: false, |
| 1734 | hasSplatting: false, |
| 1735 | hasExpandableStrings: false, |
| 1736 | hasMemberInvocations: false, |
| 1737 | hasAssignments: false, |
| 1738 | hasStopParsing: parsed.hasStopParsing, |
| 1739 | } |
| 1740 | |
| 1741 | function checkElements(cmd: ParsedCommandElement): void { |
| 1742 | if (!cmd.elementTypes) { |
| 1743 | return |
| 1744 | } |
| 1745 | for (const et of cmd.elementTypes) { |
| 1746 | switch (et) { |
| 1747 | case 'ScriptBlock': |
| 1748 | flags.hasScriptBlocks = true |
| 1749 | break |
| 1750 | case 'SubExpression': |
| 1751 | flags.hasSubExpressions = true |
| 1752 | break |
| 1753 | case 'ExpandableString': |
| 1754 | flags.hasExpandableStrings = true |
| 1755 | break |
| 1756 | case 'MemberInvocation': |
| 1757 | flags.hasMemberInvocations = true |
| 1758 | break |
| 1759 | } |
| 1760 | } |
| 1761 | } |
| 1762 | |
| 1763 | for (const stmt of parsed.statements) { |
| 1764 | if (stmt.statementType === 'AssignmentStatementAst') { |
| 1765 | flags.hasAssignments = true |
| 1766 | } |
| 1767 | for (const cmd of stmt.commands) { |
| 1768 | checkElements(cmd) |
| 1769 | } |
| 1770 | if (stmt.nestedCommands) { |
| 1771 | for (const cmd of stmt.nestedCommands) { |
| 1772 | checkElements(cmd) |
| 1773 | } |
| 1774 | } |
| 1775 | // securityPatterns provides a belt-and-suspenders check that catches |
| 1776 | // patterns elementTypes may miss (e.g. member invocations inside |
| 1777 | // assignments, subexpressions in non-pipeline statements). |
| 1778 | if (stmt.securityPatterns) { |
| 1779 | if (stmt.securityPatterns.hasMemberInvocations) { |
| 1780 | flags.hasMemberInvocations = true |
| 1781 | } |
| 1782 | if (stmt.securityPatterns.hasSubExpressions) { |
| 1783 | flags.hasSubExpressions = true |
| 1784 | } |
| 1785 | if (stmt.securityPatterns.hasExpandableStrings) { |
no test coverage detected