In what scenario was Invoke-Expression designed to be used?

by

To quote from a PowerShell team blog post titled Invoke-Expression considered harmful (emphasis added):

The bottom line: Invoke-Expression is a powerful and useful command for some scenarios such as creating new scripts at runtime, but in general, if you find yourself using Invoke-Expression, you should ask yourself, or maybe a respected colleague if there is a better way.

EBGreen notes:

Or to phrase it another way, It [Invoke-Expression] is ok to use as long as a user is never involved in any part of generating the string that will be invoked. But even then, not using it will enforce better habits than using it would.

In short:

  • As a matter of habit, always consider a different (usually more robust and secure) solution first.

  • If you do find that Invoke-Expression is your only choice, carefully consider the security implications: if a string from an (untrusted) outside source (e.g., user input) is passed directly to Invoke-Expression, arbitrary commands may be executed.

    • Therefore: Only use Invoke-Expression if you fully control or implicitly trust the input.

Note: As of Windows PowerShell v5.1 / PowerShell Core v6.1.0, the official Invoke-Expression help topic doesn’t provide such guidance; this GitHub issue suggests rectifying that.

Rare examples of justified (safe) use of Invoke-Expression:

More Related Contents:

  1. PowerShell output is crossing between functions
  2. Split a string with spaces on a new line in PowerShell
  3. how do I pass a range of values on the command line – passing an expression as an argument
  4. What type of object is $: (such as `$code:`) in Powershell?
  5. Parsing xml using powershell
  6. Powershell Custom Object Confusion
  7. How can I pass an argument to a PowerShell script?
  8. Recursive file search using PowerShell
  9. How to send multipart/form-data with PowerShell Invoke-RestMethod
  10. How do I get only directories using Get-ChildItem?
  11. How to run an application as “run as administrator” from the command prompt? [closed]
  12. Web.Config transforms outside of Microsoft MSBuild?
  13. Limit Get-ChildItem recursion depth
  14. How do I concatenate two text files in PowerShell?
  15. Create Log File in Powershell
  16. Extract the filename from a path
  17. Editing shortcut (.lnk) properties with Powershell
  18. Confused with -Include parameter of the Get-ChildItem cmdlet
  19. Colored text output in PowerShell console using ANSI / VT100 codes
  20. How to convert value to KB, MB, or GB depending on digit placeholders?
  21. Powershell Join-Path showing 2 dirs in result instead of 1 – accidental script/function output
  22. Set Value of Nested Object Property by Name in PowerShell
  23. powershell – list local users and their groups
  24. Escaping dollar signs in PowerShell path is not working
  25. Git Shell in Windows: patch’s default character encoding is UCS-2 Little Endian – how to change this to ANSI or UTF-8 without BOM?
  26. Adding an App Settings to existing Azure Web Application using Azure Power Shell
  27. .SelectSingleNode in Powershell script using xPath not working on extracting values from web.config file
  28. List of all colors available for PowerShell?
  29. Run Executable from Powershell script with parameters
  30. Expand variable inside single quotes

Leave a Comment