Merge pull request #264 from microsoft/simple-type-sanitizers

PS: Add simple type-based sanitizer to SQL injection query

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll

@@ -563,15 +563,15 @@ module API {
         )
         or
         exists(DataFlow::AutomaticVariableNode automatic |
-          automatic.getName() = name and
+          automatic.getLowerCaseName() = name and
           succ = getForwardStartNode(automatic)
         )
         or
         succ = getAnImplicitRootMember(name)
       )
       or
       exists(DataFlow::QualifiedTypeNameNode typeName |
-        typeName.getName() = name and
+        typeName.getLowerCaseName() = name and
         pred = MkNamespaceOfTypeNameNode(typeName) and
         succ = getForwardStartNode(typeName)
       )

powershell/ql/lib/semmle/code/powershell/ast/internal/AutomaticVariable.qll

@@ -1,11 +1,15 @@
 private import AstImport
 
 class AutomaticVariable extends Expr, TAutomaticVariable {
-  final override string toString() { result = this.getName() }
+  final override string toString() { result = this.getLowerCaseName() }
 
-  string getName() { any(Synthesis s).automaticVariableName(this, result) }
+  string getLowerCaseName() { any(Synthesis s).automaticVariableName(this, result) }
+
+  bindingset[result]
+  pragma[inline_late]
+  string getAName() { result.toLowerCase() = this.getLowerCaseName() }
 }
 
 class MyInvocation extends AutomaticVariable {
-  MyInvocation() { this.getName() = "myinvocation" }
+  MyInvocation() { this.getLowerCaseName() = "myinvocation" }
 }

powershell/ql/lib/semmle/code/powershell/ast/internal/InvokeMemberExpression.qll

@@ -71,8 +71,13 @@ class ConstructorCall extends InvokeMemberExpr {
     this.isStatic() and typename = this.getQualifier() and this.getLowerCaseName() = "new"
   }
 
+  /** Gets a name of the type being constructed by this constructor call. */
+  bindingset[result]
+  pragma[inline_late]
+  string getAConstructedTypeName() { result = typename.getAName() }
+
   /** Gets the name of the type being constructed by this constructor call. */
-  string getConstructedTypeName() { result = typename.getName() }
+  string getLowerCaseConstructedTypeName() { result = typename.getLowerCaseName() }
 }
 
 /**

powershell/ql/lib/semmle/code/powershell/ast/internal/ObjectCreation.qll

@@ -2,7 +2,11 @@ import powershell
 
 abstract private class AbstractObjectCreation extends CallExpr {
   /** The name of the type of the object being constructed. */
-  abstract string getConstructedTypeName();
+  bindingset[result]
+  pragma[inline_late]
+  string getAConstructedTypeName() { result.toLowerCase() = this.getLowerCaseConstructedTypeName() }
+
+  abstract string getLowerCaseConstructedTypeName();
 
   abstract Expr getConstructedTypeExpr();
 }
@@ -14,8 +18,14 @@ abstract private class AbstractObjectCreation extends CallExpr {
  * ```
  */
 class NewObjectCreation extends AbstractObjectCreation, ConstructorCall {
-  final override string getConstructedTypeName() {
-    result = ConstructorCall.super.getConstructedTypeName()
+  final override string getLowerCaseConstructedTypeName() {
+    result = ConstructorCall.super.getLowerCaseConstructedTypeName()
+  }
+
+  bindingset[result]
+  pragma[inline_late]
+  final override string getAConstructedTypeName() {
+    result = ConstructorCall.super.getAConstructedTypeName()
   }
 
   final override Expr getConstructedTypeExpr() { result = typename }
@@ -30,8 +40,8 @@ class NewObjectCreation extends AbstractObjectCreation, ConstructorCall {
 class DotNetObjectCreation extends AbstractObjectCreation, CmdCall {
   DotNetObjectCreation() { this.getLowerCaseName() = "new-object" }
 
-  final override string getConstructedTypeName() {
-    result = this.getConstructedTypeExpr().(StringConstExpr).getValueString()
+  final override string getLowerCaseConstructedTypeName() {
+    result = this.getConstructedTypeExpr().(StringConstExpr).getValueString().toLowerCase()
   }
 
   final override Expr getConstructedTypeExpr() {

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/NamedAttributeArgument.qll

@@ -15,9 +15,11 @@ class NamedAttributeArgument extends @named_attribute_argument, Ast {
 }
 
 class ValueFromPipelineAttribute extends NamedAttributeArgument {
-  ValueFromPipelineAttribute() { this.getName() = "ValueFromPipeline" }
+  ValueFromPipelineAttribute() { this.getName().toLowerCase() = "valuefrompipeline" }
 }
 
 class ValueFromPipelineByPropertyName extends NamedAttributeArgument {
-  ValueFromPipelineByPropertyName() { this.getName() = "ValueFromPipelineByPropertyName" }
+  ValueFromPipelineByPropertyName() {
+    this.getName().toLowerCase() = "valuefrompipelinebypropertyname"
+  }
 }

powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll

@@ -345,7 +345,7 @@ private module ParameterSynth {
         // has a static type.
         this.parameter(parent, i, p, _) and
         n = TVariableSynth(parent, i) and
-        type = p.getStaticType()
+        type = p.getStaticType().toLowerCase()
       )
     }
   }
@@ -530,7 +530,7 @@ private module TypeSynth {
     override predicate typeName(Type t, string name) {
       exists(Raw::TypeStmt typeStmt |
         t = TTypeSynth(typeStmt, _) and
-        typeStmt.getName() = name
+        typeStmt.getName().toLowerCase() = name
       )
     }
 

powershell/ql/lib/semmle/code/powershell/ast/internal/TypeExpression.qll

@@ -14,15 +14,21 @@ class TypeNameExpr extends Expr, TTypeNameExpr {
     )
   }
 
-  string getName() { this.parseName(_, result) }
+  string getLowerCaseName() { this.parseName(_, result) }
+
+  bindingset[result]
+  pragma[inline_late]
+  string getAName() { this.parseName(_, result.toLowerCase()) }
 
   /** If any */
-  string getPossiblyQualifiedName() { result = getRawAst(this).(Raw::TypeNameExpr).getName() }
+  string getPossiblyQualifiedName() {
+    result = getRawAst(this).(Raw::TypeNameExpr).getName().toLowerCase()
+  }
 
   // TODO: What to do when System is omitted?
   string getNamespace() { this.parseName(result, _) }
 
-  override string toString() { result = this.getName() }
+  override string toString() { result = this.getLowerCaseName() }
 
   predicate isQualified() { this.getNamespace() != "" }
 

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -587,7 +587,15 @@ module ExprNodes {
 
     override ObjectCreation getExpr() { result = e }
 
-    string getConstructedTypeName() { result = this.getExpr().getConstructedTypeName() }
+    string getLowerCaseConstructedTypeName() {
+      result = this.getExpr().getLowerCaseConstructedTypeName()
+    }
+
+    bindingset[result]
+    pragma[inline_late]
+    string getAConstructedTypeName() {
+      result.toLowerCase() = this.getLowerCaseConstructedTypeName()
+    }
 
     ExprCfgNode getConstructedTypeExpr() {
       e.hasCfgChild(this.getExpr().getConstructedTypeExpr(), this, result)
@@ -717,7 +725,11 @@ module ExprNodes {
 
     override TypeNameExpr getExpr() { result = e }
 
-    string getName() { result = e.getName() }
+    bindingset[result]
+    pragma[inline_late]
+    string getAName() { result = e.getAName() }
+
+    string getLowerCaseName() { result = e.getLowerCaseName() }
 
     string getNamespace() { result = e.getNamespace() }
 
@@ -1118,7 +1130,11 @@ module ExprNodes {
 
     override AutomaticVariable getExpr() { result = e }
 
-    string getName() { result = e.getName() }
+    bindingset[result]
+    pragma[inline_late]
+    string getAName() { result = e.getAName() }
+
+    string getLowerCaseName() { result = e.getLowerCaseName() }
   }
 }
 

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll

@@ -159,10 +159,10 @@ private predicate localFlowStep(Node nodeFrom, Node nodeTo, StepSummary summary)
 
 private module TrackInstanceInput implements CallGraphConstruction::InputSig {
   private predicate start0(Node start, string typename, boolean exact) {
-    start.(ObjectCreationNode).getObjectCreationNode().getConstructedTypeName() = typename and
+    start.(ObjectCreationNode).getObjectCreationNode().getLowerCaseConstructedTypeName() = typename and
     exact = true
     or
-    start.asExpr().(CfgNodes::ExprNodes::TypeNameExprCfgNode).getName() = typename and
+    start.asExpr().(CfgNodes::ExprNodes::TypeNameExprCfgNode).getLowerCaseName() = typename and
     exact = true
     or
     start.asParameter().getStaticType() = typename and

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll

@@ -495,7 +495,11 @@ class ObjectCreationNode extends ExprNode {
    */
   Node getConstructedTypeNode() { result.asExpr() = objectCreation.getConstructedTypeExpr() }
 
-  string getConstructedTypeName() { result = this.getObjectCreationNode().getConstructedTypeName() }
+  bindingset[result]
+  pragma[inline_late]
+  string getAConstructedTypeName() {
+    result = this.getObjectCreationNode().getAConstructedTypeName()
+  }
 }
 
 /** A call, viewed as a node in a data flow graph. */
@@ -567,7 +571,11 @@ class TypeNameNode extends ExprNode {
 
   override CfgNodes::ExprNodes::TypeNameExprCfgNode getExprNode() { result = n }
 
-  string getName() { result = n.getName() }
+  bindingset[result]
+  pragma[inline_late]
+  string getAName() { result = n.getAName() }
+
+  string getLowerCaseName() { result = n.getLowerCaseName() }
 
   predicate isQualified() { n.isQualified() }
 
@@ -593,5 +601,9 @@ class AutomaticVariableNode extends ExprNode {
 
   final override CfgNodes::ExprNodes::AutomaticVariableCfgNode getExprNode() { result = n }
 
-  string getName() { result = n.getName() }
+  bindingset[result]
+  pragma[inline_late]
+  string getAName() { result = n.getAName() }
+
+  string getLowerCaseName() { result = n.getLowerCaseName() }
 }