From 0585c2f9e568f6dbe451bd5dbfec6ed3d81e261b Mon Sep 17 00:00:00 2001
From: Mathias Vorreiter Pedersen <mapeder@microsoft.com>
Date: Fri, 4 Jul 2025 11:12:31 +0100
Subject: [PATCH] PS: Gets back the previously-lost false negative by making
 the variable property name expression the sink when there is a call to
 'Invoke'.

---
 .../security/CommandInjectionCustomizations.qll           | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
index 4ff098f1e19..2309490cb2a 100644
--- a/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
+++ b/powershell/ql/lib/semmle/code/powershell/security/CommandInjectionCustomizations.qll
@@ -142,9 +142,11 @@ module CommandInjection {
   class InvokeSink extends Sink {
     InvokeSink() {
       exists(InvokeMemberExpr ie |
-        this.asExpr().getExpr() = ie.getCallee() or 
-        this.asExpr().getExpr() = ie.getQualifier()
-      ) 
+        this.asExpr().getExpr() = ie.getCallee()
+        or
+        ie.getAName() = "Invoke" and
+        ie.getQualifier().(MemberExprReadAccess).getMemberExpr() = this.asExpr().getExpr()
+      )
     }
 
     override string getSinkType() { result = "call to Invoke" }