Skip to content

PSAvoidUsingPlainTextForPassword Error #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iainbrighton opened this issue Jun 10, 2016 · 3 comments
Closed

PSAvoidUsingPlainTextForPassword Error #564

iainbrighton opened this issue Jun 10, 2016 · 3 comments

Comments

@iainbrighton
Copy link

The PSAvoidUsingPlainTextForPassword is being flagged incorrectly in both v1.5.0 and v1.6.0. It seems to trip whenever there is "Password" mentioned in the parameter name:

PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 259   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 521   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 771   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 965   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.

Here's the parameter definition:

[Parameter()]
[ValidateSet('Default','Negotiate')]
[System.String] $PasswordAuthenticationContext = 'Default'

This parameter is perfectly legal and it makes no sense that this should be flagged as a warning.
@kapilmb
Copy link

kapilmb commented Jun 15, 2016

PSAvoidUsingPlainTextForPassword checks for string type parameters with names that contain any of the following: "Password", "Passphrase", "Cred", "Credential". Hence, it trips in the above mentioned case. This is definitely a false alarm and a limitation of the existing implementation

If it helps, please have a look at #371 and #203 for more context on this rule's behavior.

One work around would be use an enum type for the parameter. This would prevent the rule from triggering.
OR
Use rule suppression - [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "PasswordAuthenticationContext")]

@kapilmb
Copy link

kapilmb commented Jun 15, 2016

Looks like [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "PasswordAuthenticationContext")] doesn't work. I'll open an issue to fix this.

@kapilmb
Copy link

kapilmb commented Jun 15, 2016

Here is the issue #569

@kapilmb kapilmb closed this as completed Oct 18, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iainbrighton @kapilmb