2

There a some blog posts describing that Invoke-Expression opens the door to injections attacks, and therefore is considered as insecure (what I understand). Additionally the posts describes ways to overcome Invoke-Expression by usage of the call-operator (&).

My question: What is a valid scenario to use Invoke-Expression? If there is no valid one, why is it still part of actual PowerShell (6) releases?

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Moerwald
  • 10,448
  • 9
  • 43
  • 83
  • Suppose there is no valid scenario for `Invoke-Expression`. What removing it from PowerShell suppose to achieve? – user4003407 Oct 06 '19 at 15:29
  • 1
    Removing it from PowerShell would force users to perform invocations in a more secure way. – Moerwald Oct 06 '19 at 15:36
  • 1
    [This answer](https://stackoverflow.com/a/51252636/9902555) contains 2 examples of that cmdlet's valid use cases. – Robert Dyjas Oct 06 '19 at 15:42
  • @Moerwald - from what i understand, there are edge cases where the only obvious way to handle the situation is via IEX. for instance, while many malware items use it, running decoded base64 scripts is usually done that way. i don't understand _why_ that was considered needful, but apparently there are situations where it is appropriate. – Lee_Dailey Oct 06 '19 at 15:44
  • 1
    @Moerwald There are dozen other ways to do the same thing that `Invoke-Expression` does. And them share the same (in)security implication as `Invoke-Expression`. How does absence of `Invoke-Expression` will force anyone prefer more secure way rather than one of `Invoke-Expression` equivalent? – user4003407 Oct 06 '19 at 17:01
  • 2
    The widespread misuse of `Invoke-Expression` could be alleviated if the official help provided proper guidance, along the lines of [_Invoke-Expression considered harmful_](https://blogs.msdn.microsoft.com/powershell/2011/06/03/invoke-expression-considered-harmful/). Unfortunately, the [suggestion on GitHub](https://github.com/MicrosoftDocs/PowerShell-Docs/issues/2679) to fix that is languishing. – mklement0 Oct 07 '19 at 07:55
  • Yesterday, I raised a new [issue](https://github.com/MicrosoftDocs/PowerShell-Docs/issues/4897) requesting some guidance on this topic also. – Moerwald Oct 07 '19 at 07:57
  • Yeah, I just saw it - and linked it to the original issue. If you feel so inclined, feel free to submit a PR - my personal preference is not to try to fix the docs directly. – mklement0 Oct 07 '19 at 08:38
  • There are valid scenarios for using `Invoke-Expression`, even though they're few and far between. And even if the cmdlet were to be removed, people would find other insecure ways of doing stuff. If you make something foolproof, nature will provide you with a new and improved fool. – Ansgar Wiechers Oct 07 '19 at 09:19

0 Answers0