PowerShell: Add insecure random number generator query (CWE-338)

chanel-y · Copilot · chanel-y · commit 90860cbc7f8b · 2026-04-09T09:19:49.000-07:00
Detects use of Get-Random cmdlet and System.Random class which are
not cryptographically secure. Policy: Microsoft.Security.Cryptography.10017

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/powershell/ql/src/queries/security/cwe-338/InsecureRandomness.ql b/powershell/ql/src/queries/security/cwe-338/InsecureRandomness.ql
@@ -0,0 +1,56 @@
+/**
+ * @name Use of insecure random number generator
+ * @description Using non-cryptographic random number generators such as Get-Random or System.Random
+ *              for security-sensitive operations can compromise security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/microsoft/security/insecure-random
+ * @tags security
+ *       external/cwe/cwe-330
+ *       external/cwe/cwe-338
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+/** A call to the `Get-Random` cmdlet. */
+class GetRandomCall extends DataFlow::CallNode {
+  GetRandomCall() { this.matchesName("Get-Random") }
+}
+
+/** An instantiation of `System.Random` via `New-Object`. */
+class SystemRandomObjectCreation extends DataFlow::ObjectCreationNode {
+  SystemRandomObjectCreation() {
+    this.asExpr()
+        .getExpr()
+        .(ObjectCreation)
+        .getAnArgument()
+        .getValue()
+        .stringMatches("System.Random")
+  }
+}
+
+/** A call to `[System.Random]::new()` via the API graph. */
+class SystemRandomNewCall extends DataFlow::CallNode {
+  SystemRandomNewCall() {
+    this = API::getTopLevelMember("system").getMember("random").getMember("new").asCall()
+  }
+}
+
+from DataFlow::Node node, string msg
+where
+  node instanceof GetRandomCall and
+  msg =
+    "Use of insecure random number generator 'Get-Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead."
+  or
+  node instanceof SystemRandomObjectCreation and
+  msg =
+    "Use of insecure random number generator 'System.Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead."
+  or
+  node instanceof SystemRandomNewCall and
+  msg =
+    "Use of insecure random number generator 'System.Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead."
+select node, msg
diff --git a/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/InsecureRandomness.expected b/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/InsecureRandomness.expected
@@ -0,0 +1,4 @@
+| test.ps1:6:10:6:51 | Call to get-random | Use of insecure random number generator 'Get-Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead. |
+| test.ps1:9:16:9:25 | Call to get-random | Use of insecure random number generator 'Get-Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead. |
+| test.ps1:12:8:12:31 | Call to new-object | Use of insecure random number generator 'System.Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead. |
+| test.ps1:15:9:15:32 | Call to new-object | Use of insecure random number generator 'System.Random'. Use [System.Security.Cryptography.RandomNumberGenerator] instead. |
diff --git a/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/InsecureRandomness.qlref b/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/InsecureRandomness.qlref
@@ -0,0 +1 @@
+queries/security/cwe-338/InsecureRandomness.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/test.ps1 b/powershell/ql/test/query-tests/security/cwe-338/InsecureRandomness/test.ps1
@@ -0,0 +1,33 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: Get-Random cmdlet ---
+$token = Get-Random -Minimum 100000 -Maximum 999999 # BAD
+
+# --- Case 2: Get-Random without parameters ---
+$randomValue = Get-Random # BAD
+
+# --- Case 3: New-Object System.Random ---
+$rng = New-Object System.Random # BAD
+
+# --- Case 4: System.Random with method call ---
+$rng2 = New-Object System.Random
+$value = $rng2.Next(1, 100) # (The New-Object is the BAD part)
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: Using RandomNumberGenerator ---
+$secureRng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
+$bytes = New-Object byte[] 32
+$secureRng.GetBytes($bytes) # GOOD
+
+# --- Safe: Using RNGCryptoServiceProvider ---
+$cspRng = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
+$secureBytes = New-Object byte[] 16
+$cspRng.GetBytes($secureBytes) # GOOD
+
+# --- Safe: Using RandomNumberGenerator static method ---
+$randomBytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(32) # GOOD

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-338/InsecureRandomness.ql`