Implemented GitHub Copilot suggestions

Author: iRon7

Rules/AvoidSecretDisclosure.cs

@@ -55,9 +55,13 @@ testAst is CommandAst cmdAst &&
                 var bindingResult = StaticParameterBinder.BindCommand(cmdAst, true);
 
                 // Check for -AsPlainText parameter
+                // The constantValue appears true even the value is a variable
+                // This is ok because the rule should still trigger in that case since the value of the
+                // variable could be true at runtime, and we want to catch all potential violations
                 if (
                     bindingResult.BoundParameters.ContainsKey("AsPlainText") &&
-                    (bool)bindingResult.BoundParameters["AsPlainText"].ConstantValue == true
+                    bindingResult.BoundParameters["AsPlainText"].ConstantValue is bool constantValue &&
+                    constantValue == true
                 ) {
                     yield return GetDiagnosticRecord(cmdAst.Extent, fileName, "AsPlainText");
                 }
@@ -102,10 +106,7 @@ testAst is MemberExpressionAst memberAst &&
         private DiagnosticRecord GetDiagnosticRecord(IScriptExtent Extent, string fileName, string suppressionId)
         {
             return new DiagnosticRecord(
-                string.Format(
-                    CultureInfo.CurrentCulture,
-                    Strings.AvoidSecretDisclosureError,
-                    Extent.Text),
+                Strings.AvoidSecretDisclosureError,
                 Extent,
                 GetName(),
                 DiagnosticSeverity.Warning,

Tests/Rules/AvoidSecretDisclosure.tests.ps1

@@ -29,6 +29,19 @@ Describe "AvoidSecretDisclosure" {
             $violations.RuleSuppressionID | Should -Be 'AsPlainText'
         }
 
+        It "ConvertFrom-SecureString -AsPlainText:$true" {
+            $scriptDefinition = {
+                $SecureString = ConvertTo-SecureString 'P@ssW0rd' -AsPlainText
+                $Null = $SecureString | ConvertFrom-SecureString -AsPlainText:$true
+            }.ToString()
+            $violations = Invoke-ScriptAnalyzer -ScriptDefinition $scriptDefinition -IncludeRule @($ruleName)
+            $violations.Count             | Should -Be 1
+            $violations.Severity          | Should -Be Warning
+            $violations.Extent.Text       | Should -Be {ConvertFrom-SecureString -AsPlainText:$true}.ToString()
+            $violations.Message           | Should -Be $ruleMessage
+            $violations.RuleSuppressionID | Should -Be 'AsPlainText'
+        }
+
         It "SecureStringToBSTR()" {
             $scriptDefinition = {
                 $SecureString = ConvertTo-SecureString 'P@ssW0rd' -AsPlainText
@@ -198,4 +211,30 @@ Describe "AvoidSecretDisclosure" {
             $violations | Should -BeNullOrEmpty
         }
     }
+
+    Context "should not crash" {
+
+        It "-AsPlainText:$false" {
+            $scriptDefinition = {
+                $SecureString = ConvertTo-SecureString 'P@ssW0rd' -AsPlainText
+                $Null = $SecureString | ConvertFrom-SecureString -AsPlainText:$false
+            }.ToString()
+            $violations = Invoke-ScriptAnalyzer -ScriptDefinition $scriptDefinition -IncludeRule @($ruleName)
+            $violations | Should -BeNullOrEmpty
+        }
+
+        It "-AsPlainText:$someVar" {
+            $scriptDefinition = {
+                param ([bool] $someVar)
+                $SecureString = ConvertTo-SecureString 'P@ssW0rd' -AsPlainText
+                $Null = $SecureString | ConvertFrom-SecureString -AsPlainText:$someVar
+            }.ToString()
+            $violations = Invoke-ScriptAnalyzer -ScriptDefinition $scriptDefinition -IncludeRule @($ruleName)
+            $violations.Count             | Should -Be 1
+            $violations.Severity          | Should -Be Warning
+            $violations.Extent.Text       | Should -Be {ConvertFrom-SecureString -AsPlainText:$someVar}.ToString()
+            $violations.Message           | Should -Be $ruleMessage
+            $violations.RuleSuppressionID | Should -Be 'AsPlainText'
+        }
+    }
 }

docs/Rules/AvoidSecretDisclosure.md

@@ -34,6 +34,12 @@ In general, avoid any code pattern that involves converting secrets to plaintext
 > contain secrets, or to ensure that they do not actually contain secrets. If renaming is not possible, consider
 > suppressing the warning for those specific cases.
 
+ ## Configuration
+
+ ### Parameters
+
+ * `Enable` - Enables or disables the rule. Default value is `True`.
+
 ## Example
 
 ### Wrong