PS: Add false positive with GUID.

MathiasVP · MathiasVP · commit 6da1c01058c0 · 2026-04-15T11:50:54.000+01:00
diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -19,12 +19,20 @@ edges
 | test.ps1:78:49:78:58 | userinput | test.ps1:78:13:78:59 | SELECT * FROM Customers WHERE id = $userinput | provenance | Config |
 | test.ps1:78:49:78:58 | userinput | test.ps1:111:51:111:60 | userinput | provenance |  |
 | test.ps1:111:51:111:60 | userinput | test.ps1:128:28:128:37 | userinput | provenance |  |
+| test.ps1:111:51:111:60 | userinput | test.ps1:150:10:150:19 | userinput | provenance |  |
 | test.ps1:121:9:121:56 | unvalidated | test.ps1:125:130:125:141 | unvalidated | provenance |  |
 | test.ps1:125:128:125:142 | $(...) | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | provenance |  |
 | test.ps1:125:128:125:142 | $(...) | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | provenance | Config |
 | test.ps1:125:130:125:141 | unvalidated | test.ps1:125:128:125:142 | $(...) | provenance |  |
 | test.ps1:125:130:125:141 | unvalidated | test.ps1:125:128:125:142 | $(...) | provenance | Config |
 | test.ps1:128:28:128:37 | userinput | test.ps1:121:9:121:56 | unvalidated | provenance |  |
+| test.ps1:144:11:144:50 | r | test.ps1:146:55:146:56 | r | provenance |  |
+| test.ps1:146:5:146:10 | query | test.ps1:147:72:147:77 | query | provenance |  |
+| test.ps1:146:5:146:10 | query | test.ps1:147:72:147:77 | query | provenance |  |
+| test.ps1:146:14:146:58 | SELECT * FROM MyTable WHERE MyColumn = '$r' | test.ps1:146:5:146:10 | query | provenance |  |
+| test.ps1:146:14:146:58 | SELECT * FROM MyTable WHERE MyColumn = '$r' | test.ps1:146:5:146:10 | query | provenance |  |
+| test.ps1:146:55:146:56 | r | test.ps1:146:14:146:58 | SELECT * FROM MyTable WHERE MyColumn = '$r' | provenance | Config |
+| test.ps1:150:10:150:19 | userinput | test.ps1:144:11:144:50 | r | provenance |  |
 nodes
 | test.ps1:1:1:1:10 | userinput | semmle.label | userinput |
 | test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host |
@@ -52,6 +60,13 @@ nodes
 | test.ps1:125:128:125:142 | $(...) | semmle.label | $(...) |
 | test.ps1:125:130:125:141 | unvalidated | semmle.label | unvalidated |
 | test.ps1:128:28:128:37 | userinput | semmle.label | userinput |
+| test.ps1:144:11:144:50 | r | semmle.label | r |
+| test.ps1:146:5:146:10 | query | semmle.label | query |
+| test.ps1:146:5:146:10 | query | semmle.label | query |
+| test.ps1:146:14:146:58 | SELECT * FROM MyTable WHERE MyColumn = '$r' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$r' |
+| test.ps1:146:55:146:56 | r | semmle.label | r |
+| test.ps1:147:72:147:77 | query | semmle.label | query |
+| test.ps1:150:10:150:19 | userinput | semmle.label | userinput |
 subpaths
 #select
 | test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin |
@@ -60,3 +75,4 @@ subpaths
 | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin |
 | test.ps1:81:15:81:25 | QueryConn2 | test.ps1:1:14:1:45 | Call to read-host | test.ps1:81:15:81:25 | QueryConn2 | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin |
 | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | test.ps1:1:14:1:45 | Call to read-host | test.ps1:125:92:125:143 | SELECT * FROM Customers where id = $($unvalidated) | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin |
+| test.ps1:147:72:147:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:147:72:147:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | read from stdin |
diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1
@@ -138,4 +138,13 @@ $QueryConn3 = @{
 
 Invoke-Sqlcmd @QueryConn3 # GOOD
 
-&sqlcmd -e -S $userinput -U "Login" -P "MyPassword" -d "MyDBName" -i "input_file.sql" # GOOD
+&sqlcmd -e -S $userinput -U "Login" -P "MyPassword" -d "MyDBName" -i "input_file.sql" # GOOD
+
+function WithGuid {
+    PARAM([Parameter(Mandatory = $true)] [guid] $r)
+
+    $query = "SELECT * FROM MyTable WHERE MyColumn = '$r'"
+    Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -q $query # GOOD [FALSE POSITIVE]
+}
+
+WithGuid $userinput
