Home Technology ISE May Accidentally Execute Code
 

ISE May Accidentally Execute Code

In PowerShell ISE pressing F1 provides context sensitive help. The code the cursor is in is used to search the help system for related help.

Unfortunately, pressing F1 may actually execute code which can lead to unexpected results. This affects PowerShell 3.0 only and has been fixed in PowerShell 4.0 meanwhile.

When you press F1 in the ISE editor, the editor automatically enters code into the console:

PS> Get–Help "Keyword" –ShowWindow

  In PowerShell 3.0, the ISE editor accidentally uses double quotes

ISE 3.0 places the keyword in double quotes, not single quotes, and that's a bad thing. Double quoted text is "active text". Any variable in that text will get replaced by its content.

In PowerShell 4.0, this has been fixed. Here, PowerShell ISE correctly uses single quotes:

PS> Get–Help –Name 'keyword' –ShowWindow

  In PowerShell 4.0, the problem is resolved, and single quotes are used

Why Single Quotes Protect You

In "beningn" scenarios, you may just get help for a completely unrelated topic, depending on what a variable contains. Enter this into the ISE editor and run it:

  

$test = 'Get-Process'

Now, place the cursor anywhere into $test and press F1!

PS> Get–Help –Name "$test" –ShowWindow

  In PowerShell 3.0, pressing F1 will place the help topic in double-quotes

As you will notice, in PowerShell 3.0, the help window does not show help about variables (in PowerShell 4.0, all is fine).

Instead, It shows help for the cmdlet Get-Service! That's because the variable $test contains the text "Get-Service", and because ISE double quoted the text, it is replaced with its content.

Watch Out – Accidental System Restart

Now this may be funny. It can be worse, though. Just imagine you have code like this in your script:

  

$test = '$(Restart-Computer -whatif)'

Now, select the text inside the single quotes and press F1. You will get a help window, but at the same time the command inside the parenthesis will also execute.

PS> Get–Help –Name "$(Restart–Computer –whatif)" –ShowWindow
What if: Performing the operation "Enable the Local shutdown access rights and r
estart the computer." on target "localhost (tobi2)".

  Calling Help may restart computer if double-quotes are used

Without the -whatif, with PowerShell 3.0, your computer now would have restarted.

ISE has placed the selected text in double quotes. So PowerShell tries and evaluates the code. $() is a direct variable that has no value but instead code that provides the value. This code now gets executed.

What It Means To You

One could argue this is a veeeery constructed example, but what it really tells you is the same story you may have heard about SQL injection attacks. It is a potential attack vector, and we do know about the creativity among attackers to exploit things like this.

What it also tells you is: look at your own code! Do not use double-quoted strings unless you really mean it. Use single-quoted text if the text is meant to be static.

And it also means: update to PowerShell 4.0! Go with the flow, enjoy the latest improvements – and bug fixes. Apparently, they did not make it into PowerShell 3.0.