Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UsePSCredentialType : on a variable $credential the quickfix proposed is [securestring] instead of [PsCredential] #1767

Closed
zamothh opened this issue Jan 28, 2022 · 7 comments · Fixed by #1782
Closed

UsePSCredentialType : on a variable $credential the quickfix proposed is [securestring] instead of [PsCredential] #1767

zamothh opened this issue Jan 28, 2022 · 7 comments · Fixed by #1782
Labels
Issue - Discussion

Comments

@zamothh
Copy link

zamothh commented Jan 28, 2022

Summary of the new feature

When I have a variable called $credential, the proposed quickfix is to set it as a [securestring] instead of [PsCredential] object :
image

Proposed technical implementation details (optional)
The Quick Fix should be [PsCredential]

What is the latest version of PSScriptAnalyzer at the point of writing
1.20.0
@ghost ghost added the Needs: Triage 🔍 label Jan 28, 2022
@StevenBucher98
Copy link
Collaborator

Thanks for pointing this out @zamothh! We will leave this open for discussion, adding extra logic in the rule to check for the $credential and recommend [PsCredential] would be reasonable.

@StevenBucher98
Copy link
Collaborator

What do you think @bergmeister?

@JustinGrote
Copy link

I think [PsCredential] is what most people are thinking. There's already the separate rule saying parameters named $Password should be [SecureString], that should stay as is, but Credential specifically almost always in Powershell nomenclature means a PSCredential (username/password pair)

@bergmeister
Copy link
Collaborator

At the moment, PSSA would be happy with either pscredential or securestring type. It's worthwhile remembering that the way things work is the PSSA rule emits the SuggestedCorrections property, which is an IEnumerable so we could return more than one correction. We'd have to check if current code actually would propagate this end to end in PSSA and the extension (code somewhere might lazily just take the first element). As I have worked on the extension before happy to look into it. Therefore we wouldn't have to think about which is the best. Let me know what you think

@bergmeister
Copy link
Collaborator

bergmeister commented Feb 6, 2022
edited
Loading

I had a more detailed look: The AvoidUsingPlainTextForPassword rule gets triggered here if the parameter name is either Password, Passphrase, Cred or Credential. It seems that the rule does some type analysis and somehow the rule does not get triggered for types such as [int], [pscustomobject or [pscredential, hence why my above observation around pscredential was a red herring (or rather a defect in the rule). Just by looking at the code here, which determines whether a warning gets emitted based on type analysis, it seems the rule is just relying on the above defect to emit a warning rather than looking for a specific type like SecureString or PSCredential. I propose to fix the rule to only alert if the type is neither pscredential nor securestring and always emit a warning otherwise. WDYT @StevenBucher98

Also, I did a small PoC to make the rule return two local suggested corrections and this works end to end in the PSScriptAnalyzer module but not in the VS-Code UI, I suspect there is code somewhere to just take the first element of the list, I've contributed to the vs-code extension and PSES before so I should be able to fix that myself as well.

@bergmeister bergmeister mentioned this issue Feb 16, 2022
Closed
andyleejordan pushed a commit to PowerShell/PowerShellEditorServices that referenced this issue Feb 19, 2022
@bergmeister @andyleejordan
Return a code action for each diagnostic record
a4c4fdf 
Currently, PSSA's `SuggestCorrections` property of the
`DiagnosticRecord` object already is an array, but no built-in rules
return more than one suggested correction, which led to
`PowerShellEditorServices` not correctly translating this array before
returning it as an code action as it only ever displayed one. This fixes
it by making it generic again so it returns a code action for each
suggest correction. It's basically just performing a `foreach` loop and
calling `ToTextEdit` just once.

This is a pre-requisite for an implementation of this, where a built-in
rule will return multiple suggest corrections:
PowerShell/PSScriptAnalyzer#1767

I've manually tested this with a modified version of PSScriptAnalyzer
where I return two suggested corrections. The extension's UI now shows
me the two different suggested code actions and also applies them
correctly.
@andyleejordan andyleejordan mentioned this issue Feb 19, 2022
Merged
@StevenBucher98
Copy link
Collaborator

Thanks for the PR @bergmeister, just so I am following it correctly, your fix helps with suggesting multiple warnings for the VSCode UI? There was no fix for the alert to add "Set $credential to [PsCredential]" correct?

@bergmeister
Copy link
Collaborator

The first PR in PSES was to fix a bug in the VS Code extension where it would only ever display one suggested correction. My next PR will be in PSSA and will make the rule return 2 suggested corrections as part of the single warning. This way users can choose whether they prefer to fix it with pscredential or the securestring. I can show you a screenshot when I open the PSSA PR, which should make it clearer

@bergmeister bergmeister mentioned this issue Mar 28, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue - Discussion
Projects
None yet
Milestone
No milestone
4 participants
@bergmeister @JustinGrote @StevenBucher98 @zamothh