Psscriptanalyzer: PSAvoidUsingPlainTextForPassword Error

Created on 10 Jun 2016  路  3Comments  路  Source: PowerShell/PSScriptAnalyzer

The PSAvoidUsingPlainTextForPassword is being flagged incorrectly in both v1.5.0 and v1.6.0. It seems to trip whenever there is "Password" mentioned in the parameter name:

PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 259   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 521   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 771   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.
PSAvoidUsingPlainTextForPassword    Warning      MSFT_xADUs 965   Parameter '$PasswordAuthenticationContext' should
                                                 er.psm1          use SecureString, otherwise this will expose
                                                                  sensitive information. See ConvertTo-SecureString
                                                                  for more information.

Here's the parameter definition:

[Parameter()]
[ValidateSet('Default','Negotiate')]
[System.String] $PasswordAuthenticationContext = 'Default'

This parameter is perfectly legal and it makes no sense that this should be flagged as a warning.

Most helpful comment

Looks like [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "PasswordAuthenticationContext")] doesn't work. I'll open an issue to fix this.

All 3 comments

PSAvoidUsingPlainTextForPassword checks for string type parameters with names that contain any of the following: "Password", "Passphrase", "Cred", "Credential". Hence, it trips in the above mentioned case. This is definitely a false alarm and a limitation of the existing implementation

If it helps, please have a look at #371 and #203 for more context on this rule's behavior.

One work around would be use an enum type for the parameter. This would prevent the rule from triggering.
OR
Use rule suppression - [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "PasswordAuthenticationContext")]

Looks like [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingPlainTextForPassword", "PasswordAuthenticationContext")] doesn't work. I'll open an issue to fix this.

Here is the issue #569

Was this page helpful?
0 / 5 - 0 ratings