Add CLM rule ScriptsToProcess; Fix wildcard and dotsource bug

joshcorr · joshcorr · commit 3d3afc87784e · 2026-03-19T23:37:30.000-07:00
diff --git a/Rules/Strings.resx b/Rules/Strings.resx
@@ -1311,6 +1311,9 @@
   <data name="UseConstrainedLanguageModeScriptModuleError" xml:space="preserve">
     <value>Module manifest field '{0}' contains script file '{1}' (.ps1). Use a module file (.psm1) or a binary module (.dll) instead for Constrained Language Mode compatibility.</value>
   </data>
+  <data name="UseConstrainedLanguageModeScriptsToProcessError" xml:space="preserve">
+    <value>Module manifest field 'ScriptsToProcess' contains script file '{0}' (.ps1). Scripts in ScriptsToProcess run in the caller's session state and are restricted in Constrained Language Mode. Consider moving this logic to module initialization code</value>
+  </data>
   <data name="UseConstrainedLanguageModePSCustomObjectError" xml:space="preserve">
     <value>[PSCustomObject]@{{}} syntax is not permitted in Constrained Language Mode. Use New-Object PSObject -Property @{{}} or plain hashtables instead.</value>
   </data>
diff --git a/Rules/UseConstrainedLanguageMode.cs b/Rules/UseConstrainedLanguageMode.cs
@@ -538,7 +538,7 @@ private void CheckDotSourcing(Ast ast, string fileName, List<DiagnosticRecord> d
                 // Check if the command extent starts with a dot followed by whitespace
                 // This indicates dot-sourcing
                 string extentText = cmdAst.Extent.Text.TrimStart();
-                if (extentText.StartsWith(". ") || extentText.StartsWith(".\t"))
+                if (extentText.StartsWith(".") && extentText.Length > 1 && char.IsWhiteSpace(extentText[1]))
                 {
                     diagnosticRecords.Add(
                         new DiagnosticRecord(
@@ -800,8 +800,8 @@ private void CheckModuleManifest(Ast ast, string fileName, List<DiagnosticRecord
 
             // Check for wildcard exports in FunctionsToExport, CmdletsToExport, AliasesToExport
             CheckWildcardExports(hashtableAst, fileName, diagnosticRecords);
-            
-            // Check for .ps1 files in RootModule and NestedModules
+
+            // Check for .ps1 files in RootModule, NestedModules, and ScriptsToProcess
             CheckScriptModules(hashtableAst, fileName, diagnosticRecords);
         }
 
@@ -810,8 +810,8 @@ private void CheckModuleManifest(Ast ast, string fileName, List<DiagnosticRecord
         /// </summary>
         private void CheckWildcardExports(HashtableAst hashtableAst, string fileName, List<DiagnosticRecord> diagnosticRecords)
         {
-            //AliasesToExport and VariablesToExport can use wildcards in CLM, but it is not recommended for performance reasons. We will flag it as an informational message to encourage best practices.
-            string[] exportFields = { "FunctionsToExport", "CmdletsToExport", "AliasesToExport", "VariablesToExport" };
+            //AliasesToExport and VariablesToExport can use wildcards in CLM, but it is not recommended for performance reasons.
+            string[] exportFields = { "FunctionsToExport", "CmdletsToExport"};
 
             foreach (var kvp in hashtableAst.KeyValuePairs)
             {
@@ -868,9 +868,16 @@ private void CheckWildcardExports(HashtableAst hashtableAst, string fileName, Li
                                             }
                                         }
                                     }
+                                    else if (expr is StringConstantExpressionAst strElement && strElement.Value == "*")
+                                    {
+                                        // Handle single-item array expressions like @('*')
+                                        hasWildcard = true;
+                                        wildcardExtent = strElement.Extent;
+                                        break;
+                                    }
                                     if (hasWildcard) break;
                                 }
-                            }
+                            } 
                         }
 
                         if (hasWildcard && wildcardExtent != null)
@@ -892,11 +899,11 @@ private void CheckWildcardExports(HashtableAst hashtableAst, string fileName, Li
         }
 
         /// <summary>
-        /// Checks for .ps1 files in RootModule and NestedModules which are not recommended for CLM.
+        /// Checks for .ps1 files in RootModule, NestedModules, and ScriptsToProcess which are not recommended for CLM.
         /// </summary>
         private void CheckScriptModules(HashtableAst hashtableAst, string fileName, List<DiagnosticRecord> diagnosticRecords)
         {
-            string[] moduleFields = { "RootModule", "ModuleToProcess", "NestedModules" };
+            string[] moduleFields = { "RootModule", "NestedModules", "ScriptsToProcess" };
 
             foreach (var kvp in hashtableAst.KeyValuePairs)
             {
@@ -928,6 +935,26 @@ private ExpressionAst GetExpressionFromStatement(StatementAst statement)
             return null;
         }
 
+        /// <summary>
+        /// Helper method to get the appropriate error message for .ps1 file usage in module manifests.
+        /// </summary>
+        private string GetPs1FileErrorMessage(string fieldName, string scriptFileName)
+        {
+            if (fieldName.Equals("ScriptsToProcess", StringComparison.OrdinalIgnoreCase))
+            {
+                return String.Format(CultureInfo.CurrentCulture,
+                    Strings.UseConstrainedLanguageModeScriptsToProcessError,
+                    scriptFileName);
+            }
+            else
+            {
+                return String.Format(CultureInfo.CurrentCulture,
+                    Strings.UseConstrainedLanguageModeScriptModuleError,
+                    fieldName,
+                    scriptFileName);
+            }
+        }
+
         /// <summary>
         /// Helper method to check if an expression contains .ps1 file references.
         /// </summary>
@@ -939,10 +966,7 @@ private void CheckForPs1Files(ExpressionAst valueAst, string fieldName, string f
                 {
                     diagnosticRecords.Add(
                         new DiagnosticRecord(
-                            String.Format(CultureInfo.CurrentCulture,
-                                Strings.UseConstrainedLanguageModeScriptModuleError,
-                                fieldName,
-                                stringValue.Value),
+                            GetPs1FileErrorMessage(fieldName, stringValue.Value),
                             stringValue.Extent,
                             GetName(),
                             GetDiagnosticSeverity(),
@@ -960,10 +984,7 @@ private void CheckForPs1Files(ExpressionAst valueAst, string fieldName, string f
                     {
                         diagnosticRecords.Add(
                             new DiagnosticRecord(
-                                String.Format(CultureInfo.CurrentCulture,
-                                    Strings.UseConstrainedLanguageModeScriptModuleError,
-                                    fieldName,
-                                    strElement.Value),
+                                GetPs1FileErrorMessage(fieldName, strElement.Value),
                                 strElement.Extent,
                                 GetName(),
                                 GetDiagnosticSeverity(),
@@ -990,10 +1011,7 @@ private void CheckForPs1Files(ExpressionAst valueAst, string fieldName, string f
                                 {
                                     diagnosticRecords.Add(
                                         new DiagnosticRecord(
-                                            String.Format(CultureInfo.CurrentCulture,
-                                                Strings.UseConstrainedLanguageModeScriptModuleError,
-                                                fieldName,
-                                                strElement.Value),
+                                            GetPs1FileErrorMessage(fieldName, strElement.Value),
                                             strElement.Extent,
                                             GetName(),
                                             GetDiagnosticSeverity(),
@@ -1002,6 +1020,19 @@ private void CheckForPs1Files(ExpressionAst valueAst, string fieldName, string f
                                 }
                             }
                         }
+                        else if (expr is StringConstantExpressionAst strElement &&
+                            strElement.Value != null &&
+                            strElement.Value.EndsWith(".ps1", StringComparison.OrdinalIgnoreCase))
+                        {
+                            diagnosticRecords.Add(
+                                    new DiagnosticRecord(
+                                        GetPs1FileErrorMessage(fieldName, strElement.Value),
+                                        strElement.Extent,
+                                        GetName(),
+                                        GetDiagnosticSeverity(),
+                                        fileName
+                                    ));
+                        }
                     }
                 }
             }
diff --git a/Tests/Rules/UseConstrainedLanguageMode.tests.ps1 b/Tests/Rules/UseConstrainedLanguageMode.tests.ps1
@@ -235,36 +235,36 @@ enum MyEnum {
             $matchingViolations[0].Message | Should -BeLike "*FunctionsToExport*wildcard*"
         }
 
-        It "Should flag wildcard in CmdletsToExport" {
-            $manifestPath = Join-Path $tempPath "WildcardCmdlets.psd1"
+                It "Should flag wildcard array in FunctionsToExport" {
+            $manifestPath = Join-Path $tempPath "WildcardFunctions.psd1"
             $manifestContent = @'
 @{
     ModuleVersion = '1.0.0'
     GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
-    CmdletsToExport = '*'
+    FunctionsToExport = @('*')
 }
 '@
             Set-Content -Path $manifestPath -Value $manifestContent
             $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
             $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
             $matchingViolations.Count | Should -BeGreaterThan 0
-            $matchingViolations[0].Message | Should -BeLike "*CmdletsToExport*wildcard*"
+            $matchingViolations[0].Message | Should -BeLike "*FunctionsToExport*wildcard*"
         }
 
-        It "Should flag wildcard in array of exports" {
-            $manifestPath = Join-Path $tempPath "WildcardArray.psd1"
+        It "Should flag wildcard in CmdletsToExport" {
+            $manifestPath = Join-Path $tempPath "WildcardCmdlets.psd1"
             $manifestContent = @'
 @{
     ModuleVersion = '1.0.0'
     GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
-    AliasesToExport = @('Get-Foo', '*', 'Set-Bar')
+    CmdletsToExport = '*'
 }
 '@
             Set-Content -Path $manifestPath -Value $manifestContent
             $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
             $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
             $matchingViolations.Count | Should -BeGreaterThan 0
-            $matchingViolations[0].Message | Should -BeLike "*AliasesToExport*wildcard*"
+            $matchingViolations[0].Message | Should -BeLike "*CmdletsToExport*wildcard*"
         }
 
         It "Should NOT flag explicit list of exports" {
@@ -336,6 +336,73 @@ enum MyEnum {
             $scriptModuleViolations | Should -BeNullOrEmpty
         }
 
+        It "Should flag .ps1 file in ScriptsToProcess" {
+            $manifestPath = Join-Path $tempPath "ScriptsToProcess.psd1"
+            $manifestContent = @'
+@{
+    ModuleVersion = '1.0.0'
+    GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    ScriptsToProcess = @('Init.ps1', 'Setup.ps1')
+}
+'@
+            Set-Content -Path $manifestPath -Value $manifestContent
+            $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
+            $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
+            $matchingViolations.Count | Should -BeGreaterThan 0
+            $matchingViolations[0].Message | Should -BeLike "*ScriptsToProcess*Init.ps1*"
+        }
+
+        It "Should use different error message for ScriptsToProcess" {
+            $manifestPath = Join-Path $tempPath "ScriptsToProcessMessage.psd1"
+            $manifestContent = @'
+@{
+    ModuleVersion = '1.0.0'
+    GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    ScriptsToProcess = 'Init.ps1'
+}
+'@
+            Set-Content -Path $manifestPath -Value $manifestContent
+            $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
+            $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
+            $matchingViolations.Count | Should -Be 1
+            # ScriptsToProcess should have a specific message about caller's session state
+            $matchingViolations[0].Message | Should -BeLike "*caller*session state*"
+            $matchingViolations[0].Message | Should -BeLike "*Init.ps1*"
+        }
+
+        It "Should flag single-item array in ScriptsToProcess" {
+            $manifestPath = Join-Path $tempPath "ScriptsToProcessArray.psd1"
+            $manifestContent = @'
+@{
+    ModuleVersion = '1.0.0'
+    GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    ScriptsToProcess = @('Init.ps1')
+}
+'@
+            Set-Content -Path $manifestPath -Value $manifestContent
+            $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
+            $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
+            $matchingViolations.Count | Should -Be 1
+            $matchingViolations[0].Message | Should -BeLike "*ScriptsToProcess*Init.ps1*"
+        }
+
+        It "Should NOT flag .psm1 files in ScriptsToProcess" {
+            $manifestPath = Join-Path $tempPath "ScriptsToProcessPsm1.psd1"
+            $manifestContent = @'
+@{
+    ModuleVersion = '1.0.0'
+    GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    ScriptsToProcess = @('Init.psm1')
+}
+'@
+            Set-Content -Path $manifestPath -Value $manifestContent
+            $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
+            $scriptViolations = $violations | Where-Object { 
+                $_.RuleName -eq $violationName -and $_.Message -like "*ScriptsToProcess*" 
+            }
+            $scriptViolations | Should -BeNullOrEmpty
+        }
+
         It "Should flag both wildcard and .ps1 issues in same manifest" {
             $manifestPath = Join-Path $tempPath "MultipleIssues.psd1"
             $manifestContent = @'
@@ -353,6 +420,33 @@ enum MyEnum {
             # Should have at least 3 violations: RootModule .ps1, FunctionsToExport *, CmdletsToExport *
             $matchingViolations.Count | Should -BeGreaterOrEqual 3
         }
+
+        It "Should flag ScriptsToProcess and RootModule with different messages" {
+            $manifestPath = Join-Path $tempPath "MixedScriptFields.psd1"
+            $manifestContent = @'
+@{
+    ModuleVersion = '1.0.0'
+    GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    RootModule = 'MyModule.ps1'
+    ScriptsToProcess = @('Init.ps1')
+}
+'@
+            Set-Content -Path $manifestPath -Value $manifestContent
+            $violations = Invoke-ScriptAnalyzer -Path $manifestPath -Settings $settings
+            $matchingViolations = $violations | Where-Object { $_.RuleName -eq $violationName }
+            $matchingViolations.Count | Should -Be 2
+
+            # Check that we have both types of messages
+            $scriptsToProcessMsg = $matchingViolations | Where-Object { $_.Message -like "*caller*session state*" }
+            $rootModuleMsg = $matchingViolations | Where-Object { $_.Message -like "*RootModule*" -and $_.Message -notlike "*caller*session state*" }
+
+            $scriptsToProcessMsg.Count | Should -Be 1
+            $rootModuleMsg.Count | Should -Be 1
+
+            # Verify the specific field names are mentioned
+            $scriptsToProcessMsg[0].Message | Should -BeLike "*Init.ps1*"
+            $rootModuleMsg[0].Message | Should -BeLike "*MyModule.ps1*"
+        }
     }
 
     Context "Rule severity" {
@@ -628,6 +722,7 @@ class MyClass {
             $scriptPath = Join-Path $tempPath "SignedWithDotSource.ps1"
             $scriptContent = @'
 . .\Helper.ps1
+.      .\U  tility.ps1
 
 # SIG # Begin signature block
 # MIIFFAYJKoZIhvcNAQcCoIIFBTCCBQECAQExCzAJ...
diff --git a/docs/Rules/UseConstrainedLanguageMode.md b/docs/Rules/UseConstrainedLanguageMode.md
@@ -137,6 +137,7 @@ Use modules with Import-Module instead of dot-sourcing when possible.
 
 - Replace wildcard exports (`*`) with explicit lists
 - Use `.psm1` or `.dll` instead of `.ps1` for RootModule/NestedModules
+- Don't use ScriptsToProcess as it loads in the caller's scope and will be blocked. 
 
 ## Examples
 
