Expand Minimize

SPC029101: Do not use Invoke-Expression

Invoke-Expression allows external text to be run as code. Evaluated code at runtime is a script injection vulnerability. Dynamic code can be executed using PowerShells & operator and splatting to apply the paramaters required.

CheckId SPC029101
TypeName DoNotUseInvokeExpression
Severity CriticalWarning
Type PoShFile

Bad Practice

Invoke-Expression $inputCommand
Good Practice
$command = "Get-Foo"
$params = @{
  arg = $input
}
& $command @params

Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.