PS: Allow for implicit reads at sinks in 'ps/sql-injection'.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll

@@ -22,7 +22,14 @@ module SqlInjection {
    * A data flow sink for SQL-injection vulnerabilities.
    */
   abstract class Sink extends DataFlow::Node {
+    /** Gets a description of this sink. */
     abstract string getSinkType();
+
+    /**
+     * Holds if this sink should allow for an implicit read of `cs` when
+     * reached.
+     */
+    predicate allowImplicitRead(DataFlow::ContentSet cs) { none() }
   }
 
   /**
@@ -45,10 +52,19 @@ module SqlInjection {
         not call.hasNamedArgument("query") and
         not call.hasNamedArgument("inputfile") and
         this = call.getArgument(0)
+        or
+        // TODO: Here we really should pick a splat argument, but we don't yet extract whether an
+        // argument is a splat argument.
+        this = unique( | | call.getAnArgument())
       )
     }
 
     override string getSinkType() { result = "call to Invoke-Sqlcmd" }
+
+    override predicate allowImplicitRead(DataFlow::ContentSet cs) {
+      cs.getAStoreContent().(DataFlow::Content::KnownKeyContent).getIndex().asString().toLowerCase() =
+        ["query", "inputfile"]
+    }
   }
 
   class ConnectionStringWriteSink extends Sink {

powershell/ql/lib/semmle/code/powershell/security/SqlInjectionQuery.qll

@@ -18,6 +18,10 @@ private module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet cs) {
+    node.(Sink).allowImplicitRead(cs)
+  }
 }
 
 /**