Invoke-Expression 被设计用于什么场景? [英] In what scenario was Invoke-Expression designed to be used?

问题描述

9/10 次如果您尝试使用 Invoke-Expression cmdlet，还有更好的方法.动态构建命令的参数?使用参数数组.为 cmdlet 构建参数?将 splatting 与数组或哈希表一起使用.你的命令在它的路径中有一个空格?使用调用运算符 (&).

9/10 times if you are trying to use the Invoke-Expression cmdlet, there is a better way. Building the arguments to a command dynamically? Use an array of arguments. Building the arguments to a cmdlet? Use splatting with an array or hashtable. Your command has a space in the path to it? Use the call operator (&).

这可能看起来是开放式的，但 Invoke-Expression 是一个易于访问的 cmdlet，答案几乎总是从不使用它.但是这个 cmdlet 存在是有原因的，并没有被弃用，大多数对其使用状态的批评类似于它几乎从来都不是正确的答案"，但从未说明何时可以接受使用它.在什么情况下可以使用Invoke-Expression?或者说得不那么公开，Invoke-Expression 是如何设计的?

This might seem open ended, but Invoke-Expression is an easily accessible cmdlet where the answer is almost always to never use it. But the cmdlet exists for a reason, is not deprecated, and most criticisms of its use state something similar to, "it's almost never the right answer", but never states when it is acceptable to use it. In what case is it acceptable to use Invoke-Expression? Or to word it a bit less openly, how was Invoke-Expression designed to be used?

推荐答案

引自 PowerShell 团队博客文章，标题为 Invoke-Expression 被认为有害(强调添加):

To quote from a PowerShell team blog post titled Invoke-Expression considered harmful (emphasis added):

底线:Invoke-Expression 对于某些场景(例如在运行时创建新脚本)是一个强大且有用的命令，但总的来说，如果您发现自己使用 Invoke- 表达，你应该问问自己，或者问问你尊敬的同事是否有更好的方法.

The bottom line: Invoke-Expression is a powerful and useful command for some scenarios such as creating new scripts at runtime, but in general, if you find yourself using Invoke-Expression, you should ask yourself, or maybe a respected colleague if there is a better way.

EBGreen 注释:

或者换一种说法，只要用户从不参与生成将被调用的字符串的任何部分，就可以使用 [Invoke-Expression].但即便如此，不使用它会比使用它更好地养成习惯.

Or to phrase it another way, It [Invoke-Expression] is ok to use as long as a user is never involved in any part of generating the string that will be invoked. But even then, not using it will enforce better habits than using it would.

简而言之:

• 按照习惯，总是首先考虑不同的(通常更强大和更安全)的解决方案.

如果您确实发现 Invoke-Expression 是您唯一的选择，请仔细考虑安全隐患:如果来自(不受信任的)外部来源的字符串 (例如，用户输入)直接传递给Invoke-Expression，可以执行任意命令.

If you do find that Invoke-Expression is your only choice, carefully consider the security implications: if a string from an (untrusted) outside source (e.g., user input) is passed directly to Invoke-Expression, arbitrary commands may be executed.

^{注意:从 Windows PowerShell v5.1/PowerShell Core v6.1.0 开始，官方 Invoke-Expression 帮助主题 不提供此类指导；这个 GitHub 问题 建议纠正这个问题.}

^{Note: As of Windows PowerShell v5.1 / PowerShell Core v6.1.0, the official Invoke-Expression help topic doesn't provide such guidance; this GitHub issue suggests rectifying that.}

罕见合理(安全)使用Invoke-Expression的例子:

Rare examples of justified (safe) use of Invoke-Expression:

• 动态创建 PSv5+ 自定义类:

• Creating PSv5+ custom classes dynamically:

• 以便该类可以在远程会话中使用.

以便可以在运行时根据条件创建属性集.

将Invoke-Expression 与Write-Output 结合使用:

• 解析带有嵌入引号的字符串，需要额外的预防措施.

解析存储在文件中的命令行，如果受信任.

这篇关于Invoke-Expression 被设计用于什么场景?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！