Also return suggestion to use PSCredential for AvoidUsingPlainTextForPassword rule (#1782)

bergmeister · web-flow · commit 87199e56f573 · 2022-07-11T17:21:30.000+01:00
* Also return suggestion to use PSCredential for AvoidUsingPlainTextForPassword rule

* fix tests
diff --git a/Rules/AvoidUsingPlainTextForPassword.cs b/Rules/AvoidUsingPlainTextForPassword.cs
@@ -64,37 +64,43 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
             }
         }
 
-        private List<CorrectionExtent> GetCorrectionExtent(ParameterAst paramAst)
+        private IEnumerable<CorrectionExtent> GetCorrectionExtent(ParameterAst paramAst)
         {
             //Find the parameter type extent and replace that with secure string
             IScriptExtent extent;
             var typeAttributeAst = GetTypeAttributeAst(paramAst);
             var corrections = new List<CorrectionExtent>();
             string correctionText;
-            if (typeAttributeAst == null)
-            {
-                // cannot find any type attribute
-                extent = paramAst.Name.Extent;
-                correctionText = string.Format("[SecureString] {0}", paramAst.Name.Extent.Text);
-            }
-            else
+
+            foreach (string correctionType in new[] { "SecureString", "PSCredential" })
             {
-                // replace only the existing type with [SecureString]
-                extent = typeAttributeAst.Extent;
-                correctionText = typeAttributeAst.TypeName.IsArray ? "[SecureString[]]" : "[SecureString]";
+                if (typeAttributeAst == null)
+                {
+                    // cannot find any type attribute
+                    extent = paramAst.Name.Extent;
+                    correctionText = $"[{correctionType}] {paramAst.Name.Extent.Text}";
+                }
+                else
+                {
+                    // replace only the existing type with [SecureString]
+                    extent = typeAttributeAst.Extent;
+                    correctionText = typeAttributeAst.TypeName.IsArray ? $"[{correctionType}[]]" : $"[{correctionType}]";
+                }
+                string description = string.Format(
+                    CultureInfo.CurrentCulture,
+                    Strings.AvoidUsingPlainTextForPasswordCorrectionDescription,
+                    paramAst.Name.Extent.Text,
+                    correctionType);
+                corrections.Add(new CorrectionExtent(
+                    extent.StartLineNumber,
+                    extent.EndLineNumber,
+                    extent.StartColumnNumber,
+                    extent.EndColumnNumber,
+                    correctionText.ToString(),
+                    paramAst.Extent.File,
+                    description));
             }
-            string description = string.Format(
-                CultureInfo.CurrentCulture,
-                Strings.AvoidUsingPlainTextForPasswordCorrectionDescription,
-                paramAst.Name.Extent.Text);
-            corrections.Add(new CorrectionExtent(
-                extent.StartLineNumber,
-                extent.EndLineNumber,
-                extent.StartColumnNumber,
-                extent.EndColumnNumber,
-                correctionText.ToString(),
-                paramAst.Extent.File,
-                description));
+
             return corrections;
         }
 
diff --git a/Rules/Strings.Designer.cs b/Rules/Strings.Designer.cs
diff --git a/Rules/Strings.resx b/Rules/Strings.resx
@@ -292,7 +292,7 @@
     <value>Password parameters that take in plaintext will expose passwords and compromise the security of your system.</value>
   </data>
   <data name="AvoidUsingPlainTextForPasswordError" xml:space="preserve">
-    <value>Parameter '{0}' should use SecureString, otherwise this will expose sensitive information. See ConvertTo-SecureString for more information.</value>
+    <value>Parameter '{0}' should not use String type but either SecureString or PSCredential, otherwise it increases the chance to to expose this sensitive information.</value>
   </data>
   <data name="AvoidUsingPlainTextForPasswordCommonName" xml:space="preserve">
     <value>Avoid Using Plain Text For Password Parameter</value>
@@ -778,7 +778,7 @@
     <value>Replace {0} with {1}</value>
   </data>
   <data name="AvoidUsingPlainTextForPasswordCorrectionDescription" xml:space="preserve">
-    <value>Set {0} type to SecureString</value>
+    <value>Set {0} type to {1}</value>
   </data>
   <data name="MissingModuleManifestFieldCorrectionDescription" xml:space="preserve">
     <value>Add {0} = {1} to the module manifest</value>
@@ -1164,4 +1164,4 @@
   <data name="AvoidMultipleTypeAttributesName" xml:space="preserve">
     <value>AvoidMultipleTypeAttributes</value>
   </data>
-</root>
+</root>
diff --git a/Tests/Rules/AvoidUsingPlainTextForPassword.tests.ps1 b/Tests/Rules/AvoidUsingPlainTextForPassword.tests.ps1
@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 
 BeforeAll {
-    $violationMessage = [regex]::Escape("Parameter '`$password' should use SecureString, otherwise this will expose sensitive information. See ConvertTo-SecureString for more information.")
+    $violationMessage = [regex]::Escape("Parameter '`$password' should not use String type but either ")
     $violationName = "PSAvoidUsingPlainTextForPassword"
     $violationFilepath = Join-Path $PSScriptRoot 'AvoidUsingPlainTextForPassword.ps1'
     $violations = Invoke-ScriptAnalyzer $violationFilepath | Where-Object { $_.RuleName -eq $violationName }
@@ -17,15 +17,15 @@ Describe "AvoidUsingPlainTextForPassword" {
         }
 
         It "suggests corrections" {
-            Test-CorrectionExtent $violationFilepath $violations[0] 1 '$passphrases' '[SecureString] $passphrases'
+            Test-CorrectionExtent $violationFilepath $violations[0] 2 '$passphrases' '[SecureString] $passphrases'
             $violations[0].SuggestedCorrections[0].Description | Should -Be 'Set $passphrases type to SecureString'
 
-            Test-CorrectionExtent $violationFilepath $violations[1] 1 '$passwordparam' '[SecureString] $passwordparam'
-            Test-CorrectionExtent $violationFilepath $violations[2] 1 '$credential' '[SecureString] $credential'
-            Test-CorrectionExtent $violationFilepath $violations[3] 1 '$password' '[SecureString] $password'
-            Test-CorrectionExtent $violationFilepath $violations[4] 1 '[string]' '[SecureString]'
-            Test-CorrectionExtent $violationFilepath $violations[5] 1 '[string[]]' '[SecureString[]]'
-            Test-CorrectionExtent $violationFilepath $violations[6] 1 '[string]' '[SecureString]'
+            Test-CorrectionExtent $violationFilepath $violations[1] 2 '$passwordparam' '[SecureString] $passwordparam'
+            Test-CorrectionExtent $violationFilepath $violations[2] 2 '$credential' '[SecureString] $credential'
+            Test-CorrectionExtent $violationFilepath $violations[3] 2 '$password' '[SecureString] $password'
+            Test-CorrectionExtent $violationFilepath $violations[4] 2 '[string]' '[SecureString]'
+            Test-CorrectionExtent $violationFilepath $violations[5] 2 '[string[]]' '[SecureString[]]'
+            Test-CorrectionExtent $violationFilepath $violations[6] 2 '[string]' '[SecureString]'
         }
 
         It "has the correct violation message" {
