Merge pull request #91 from microsoft/powershell-cfg-for-if-and-match

MathiasVP · web-flow · commit 198ece98ce07 · 2024-09-09T18:11:25.000+01:00
PS: CFG for `if`, `match`, exceptions
diff --git a/powershell/ql/lib/semmle/code/powershell/ArrayExpression.qll b/powershell/ql/lib/semmle/code/powershell/ArrayExpression.qll
@@ -3,7 +3,7 @@ import powershell
 class ArrayExpr extends @array_expression, Expr {
   override SourceLocation getLocation() { array_expression_location(this, result) }
 
-  StmtBlock getStatementBlock() { array_expression(this, result) }
+  StmtBlock getStmtBlock() { array_expression(this, result) }
 
-  override string toString() { result = "ArrayExpression at: " + this.getLocation().toString() }
+  override string toString() { result = "@(...)" }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/Attribute.qll b/powershell/ql/lib/semmle/code/powershell/Attribute.qll
@@ -15,7 +15,11 @@ class Attribute extends @attribute, AttributeBase {
 
   NamedAttributeArgument getANamedArgument() { result = this.getNamedArgument(_) }
 
+  int getNumberOfArguments() { result = count(this.getAPositionalArgument()) }
+
   Expr getPositionalArgument(int i) { attribute_positional_argument(this, i, result) }
 
   Expr getAPositionalArgument() { result = this.getPositionalArgument(_) }
+
+  int getNumberOfPositionalArguments() { result = count(this.getAPositionalArgument()) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/CatchClause.qll b/powershell/ql/lib/semmle/code/powershell/CatchClause.qll
@@ -16,4 +16,24 @@ class CatchClause extends @catch_clause, Ast {
   predicate isCatchAll() { not exists(this.getACatchType()) }
 
   TryStmt getTryStmt() { result.getACatchClause() = this }
+
+  predicate isLast() {
+    exists(TryStmt ts, int last |
+      ts = this.getTryStmt() and
+      last = max(int i | exists(ts.getCatchClause(i))) and
+      this = ts.getCatchClause(last)
+    )
+  }
+}
+
+class GeneralCatchClause extends CatchClause {
+  GeneralCatchClause() { this.isCatchAll() }
+
+  override string toString() { result = "catch {...}" }
+}
+
+class SpecificCatchClause extends CatchClause {
+  SpecificCatchClause() { not this.isCatchAll() }
+
+  override string toString() { result = "catch[...] {...}" }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/Command.qll b/powershell/ql/lib/semmle/code/powershell/Command.qll
@@ -15,9 +15,28 @@ class Cmd extends @command, CmdBase {
 
   CmdElement getElement(int i) { command_command_element(this, i, result) }
 
-  Redirection getRedirection(int i) { command_redirection(this, i, result) }
+  StringConstExpr getCmdName() { result = this.getElement(0) }
+
+  Expr getArgument(int i) {
+    result =
+      rank[i + 1](CmdElement e, int j |
+        e = this.getElement(j) and
+        not e instanceof CmdParameter and
+        j > 0 // 0'th element is the command name itself
+      |
+        e order by j
+      )
+  }
+
+  Expr getNamedArgument(string name) {
+    exists(int i, CmdParameter p |
+      this.getElement(i) = p and
+      p.getName() = name and
+      result = p.getArgument()
+    )
+  }
 
-  CmdElement getAnElement() { result = this.getElement(_) }
+  Redirection getRedirection(int i) { command_redirection(this, i, result) }
 
   Redirection getARedirection() { result = this.getRedirection(_) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/CommandParameter.qll b/powershell/ql/lib/semmle/code/powershell/CommandParameter.qll
@@ -5,7 +5,19 @@ class CmdParameter extends @command_parameter, CmdElement {
 
   string getName() { command_parameter(this, result) }
 
-  Expr getArgument() { command_parameter_argument(this, result) }
+  Expr getArgument() {
+    // When an argumnt is of the form -Name:$var
+    command_parameter_argument(this, result)
+    or
+    // When an argument is of the form -Name $var
+    exists(int i, Cmd cmd |
+      cmd = this.getCmd() and
+      cmd.getElement(i) = this and
+      result = cmd.getElement(i + 1)
+    )
+  }
+
+  Cmd getCmd() { result.getElement(_) = this }
 
   override string toString() { command_parameter(this, result) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/IfStmt.qll b/powershell/ql/lib/semmle/code/powershell/IfStmt.qll
@@ -13,6 +13,10 @@ class IfStmt extends @if_statement, Stmt {
 
   StmtBlock getThen(int i) { if_statement_clause(this, i, _, result) }
 
+  int getNumberOfConditions() { result = count(this.getACondition()) }
+
+  StmtBlock getAThen() { result = this.getThen(_) }
+
   /** ..., if any. */
   StmtBlock getElse() { if_statement_else(this, result) }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll b/powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll
@@ -1,15 +1,15 @@
 import powershell
 
-class InvokeMemberExpression extends @invoke_member_expression, MemberExprBase {
+class InvokeMemberExpr extends @invoke_member_expression, MemberExprBase {
   override SourceLocation getLocation() { invoke_member_expression_location(this, result) }
 
-  Expr getExpression() { invoke_member_expression(this, result, _) }
+  Expr getBase() { invoke_member_expression(this, result, _) }
 
   CmdElement getMember() { invoke_member_expression(this, _, result) }
 
   Expr getArgument(int i) { invoke_member_expression_argument(this, i, result) }
 
   Expr getAnArgument() { invoke_member_expression_argument(this, _, result) }
 
-  override string toString() { result = "ArrayExpression at: " + this.getLocation().toString() }
+  override string toString() { result = "call to " + this.getMember() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/NamedAttributeArgument.qll b/powershell/ql/lib/semmle/code/powershell/NamedAttributeArgument.qll
@@ -1,9 +1,9 @@
 import powershell
 
-class NamedAttributeArgument extends @named_attribute_argument {
-  string toString() { result = this.getValue().toString() }
+class NamedAttributeArgument extends @named_attribute_argument, Ast {
+  final override string toString() { result = this.getValue().toString() }
 
-  SourceLocation getLocation() { named_attribute_argument_location(this, result) }
+  final override SourceLocation getLocation() { named_attribute_argument_location(this, result) }
 
   string getName() { named_attribute_argument(this, result, _) }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/StringConstantExpression.qll b/powershell/ql/lib/semmle/code/powershell/StringConstantExpression.qll
@@ -1,10 +1,10 @@
 import powershell
 
-class StringConstExpression extends @string_constant_expression, BaseConstExpr {
+class StringConstExpr extends @string_constant_expression, BaseConstExpr {
   StringLiteral getValue() { string_constant_expression(this, result) }
 
   /** Get the full string literal with all its parts concatenated */
-  override string toString() { result = getValue().toString() }
+  override string toString() { result = this.getValue().toString() }
 
   override SourceLocation getLocation() { string_constant_expression_location(this, result) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/StringLiteral.qll b/powershell/ql/lib/semmle/code/powershell/StringLiteral.qll
@@ -7,7 +7,11 @@ class StringLiteral extends @string_literal {
 
   /** Get the full string literal with all its parts concatenated */
   string toString() {
-    result = concat(int i | i = [0 .. getNumContinuations()] | getContinuation(i), "\n")
+    result = this.getValue()
+  }
+
+  string getValue() {
+    result = concat(int i | i = [0 .. this.getNumContinuations()] | this.getContinuation(i), "\n")
   }
 
   SourceLocation getLocation() { string_literal_location(this, result) }
diff --git a/powershell/ql/lib/semmle/code/powershell/TryStmt.qll b/powershell/ql/lib/semmle/code/powershell/TryStmt.qll
@@ -14,4 +14,5 @@ class TryStmt extends @try_statement, Stmt {
 
   StmtBlock getBody() { try_statement(this, result) }
 
+  predicate hasFinally() { exists(this.getFinally()) }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/ControlFlowGraph.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/ControlFlowGraph.qll
@@ -69,18 +69,25 @@ module SuccessorTypes {
    * A conditional control flow successor. Either a Boolean successor (`BooleanSuccessor`)
    * or a matching successor (`MatchingSuccessor`)
    */
-  class ConditionalSuccessor extends SuccessorType {
+  abstract class ConditionalSuccessor extends SuccessorType {
     boolean value;
 
-    ConditionalSuccessor() { this = CfgImpl::TBooleanSuccessor(value) }
+    bindingset[value]
+    ConditionalSuccessor() { any() }
 
     /** Gets the Boolean value of this successor. */
     final boolean getValue() { result = value }
 
     override string toString() { result = this.getValue().toString() }
   }
 
-  class BooleanSuccessor extends ConditionalSuccessor, CfgImpl::TBooleanSuccessor { }
+  class BooleanSuccessor extends ConditionalSuccessor, CfgImpl::TBooleanSuccessor {
+    BooleanSuccessor() { this = CfgImpl::TBooleanSuccessor(value) }
+  }
+
+  class MatchingSuccessor extends ConditionalSuccessor, CfgImpl::TMatchingSuccessor {
+    MatchingSuccessor() { this = CfgImpl::TMatchingSuccessor(value) }
+  }
 
   class ReturnSuccessor extends SuccessorType, CfgImpl::TReturnSuccessor {
     final override string toString() { result = "return" }
@@ -94,8 +101,8 @@ module SuccessorTypes {
     final override string toString() { result = "continue" }
   }
 
-  class RaiseSuccessor extends SuccessorType, CfgImpl::TRaiseSuccessor {
-    final override string toString() { result = "raise" }
+  class ThrowSuccessor extends SuccessorType, CfgImpl::TThrowSuccessor {
+    final override string toString() { result = "throw" }
   }
 
   class ExitSuccessor extends SuccessorType, CfgImpl::TExitSuccessor {
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/internal/Completion.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/internal/Completion.qll
@@ -8,16 +8,23 @@ private import powershell
 private import semmle.code.powershell.controlflow.ControlFlowGraph
 private import ControlFlowGraphImpl as CfgImpl
 private import SuccessorTypes
+private import codeql.util.Boolean
 
 // TODO: We most likely need a TrapCompletion as well
 private newtype TCompletion =
   TSimpleCompletion() or
-  TBooleanCompletion(boolean b) { b in [false, true] } or
+  TBooleanCompletion(Boolean b) or
   TReturnCompletion() or
   TBreakCompletion() or
   TContinueCompletion() or
-  TRaiseCompletion() or
-  TExitCompletion()
+  TThrowCompletion() or
+  TExitCompletion() or
+  TMatchingCompletion(Boolean b)
+
+private predicate commandThrows(Cmd c, boolean unconditional) {
+  c.getNamedArgument("ErrorAction").(StringConstExpr).getValue().getValue() = "Stop" and
+  if c.getName() = "Write-Error" then unconditional = true else unconditional = false
+}
 
 pragma[noinline]
 private predicate completionIsValidForStmt(Ast n, Completion c) {
@@ -26,6 +33,16 @@ private predicate completionIsValidForStmt(Ast n, Completion c) {
   or
   n instanceof ContinueStmt and
   c instanceof ContinueCompletion
+  or
+  n instanceof ThrowStmt and
+  c instanceof ThrowCompletion
+  or
+  exists(boolean unconditional | commandThrows(n, unconditional) |
+    c instanceof ThrowCompletion
+    or
+    unconditional = false and
+    c instanceof SimpleCompletion
+  )
 }
 
 /** A completion of a statement or an expression. */
@@ -40,6 +57,14 @@ abstract class Completion extends TCompletion {
       not isBooleanConstant(n, _) and
       this = TBooleanCompletion(_)
     )
+    or
+    mustHaveMatchingCompletion(n) and
+    (
+      exists(boolean value | isMatchingConstant(n, value) | this = TMatchingCompletion(value))
+      or
+      not isMatchingConstant(n, _) and
+      this = TMatchingCompletion(_)
+    )
   }
 
   private predicate isValidForSpecific(Ast n) { this.isValidForSpecific0(n) }
@@ -74,11 +99,18 @@ private predicate isBooleanConstant(Ast n, boolean value) {
   none() // TODO
 }
 
+private predicate isMatchingConstant(Ast n, boolean value) {
+  inMatchingContext(n) and
+  none() // TODO
+}
+
 /**
  * Holds if a normal completion of `n` must be a Boolean completion.
  */
 private predicate mustHaveBooleanCompletion(Ast n) { inBooleanContext(n) }
 
+private predicate mustHaveMatchingCompletion(Ast n) { inMatchingContext(n) }
+
 /**
  * Holds if `n` is used in a Boolean context. That is, the value
  * that `n` evaluates to determines a true/false branch successor.
@@ -128,6 +160,22 @@ private predicate inBooleanContext(Ast n) {
   )
 }
 
+/**
+ * From: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_switch?view=powershell-7.4:
+ * ```
+ * switch [-regex | -wildcard | -exact] [-casesensitive] (<test-expression>)
+ * {
+ *    "string" | number | variable | { <value-scriptblock> } { <action-scriptblock> }
+ *    default { <action-scriptblock> } # optional
+ * }
+ * ```
+ */
+private predicate inMatchingContext(Ast n) {
+  n = any(SwitchStmt switch).getAPattern()
+  or
+  n = any(CatchClause cc).getACatchType()
+}
+
 /**
  * A completion that represents normal evaluation of a statement or an
  * expression.
@@ -159,7 +207,7 @@ abstract class ConditionalCompletion extends NormalCompletion {
  * A completion that represents evaluation of an expression
  * with a Boolean value.
  */
-class BooleanCompletion extends ConditionalCompletion, NormalCompletion, TBooleanCompletion {
+class BooleanCompletion extends ConditionalCompletion, TBooleanCompletion {
   BooleanCompletion() { this = TBooleanCompletion(value) }
 
   /** Gets the dual Boolean completion. */
@@ -180,6 +228,18 @@ class FalseCompletion extends BooleanCompletion {
   FalseCompletion() { this.getValue() = false }
 }
 
+class MatchCompletion extends ConditionalCompletion, TMatchingCompletion {
+  MatchCompletion() { this = TMatchingCompletion(value) }
+
+  override MatchingSuccessor getAMatchingSuccessorType() { result.getValue() = value }
+
+  predicate isMatch() { this.getValue() = true }
+
+  predicate isNonMatch() { this.getValue() = false }
+
+  override string toString() { if this.isMatch() then result = "match" else result = "nonmatch" }
+}
+
 /**
  * A completion that represents evaluation of a statement or an
  * expression resulting in a return.
@@ -214,10 +274,10 @@ class ContinueCompletion extends Completion, TContinueCompletion {
  * A completion that represents evaluation of a statement or an
  * expression resulting in a thrown exception.
  */
-class RaiseCompletion extends Completion, TRaiseCompletion {
-  override RaiseSuccessor getAMatchingSuccessorType() { any() }
+class ThrowCompletion extends Completion, TThrowCompletion {
+  override ThrowSuccessor getAMatchingSuccessorType() { any() }
 
-  override string toString() { result = "raise" }
+  override string toString() { result = "throw" }
 }
 
 /**
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/internal/ControlFlowGraphImpl.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/internal/ControlFlowGraphImpl.qll

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ import powershell`
`3`	`3`	`class ArrayExpr extends @array_expression, Expr {`
`4`	`4`	`override SourceLocation getLocation() { array_expression_location(this, result) }`
`5`	`5`
`6`		`- StmtBlock getStatementBlock() { array_expression(this, result) }`
	`6`	`+ StmtBlock getStmtBlock() { array_expression(this, result) }`
`7`	`7`
`8`		`- override string toString() { result = "ArrayExpression at: " + this.getLocation().toString() }`
	`8`	`+ override string toString() { result = "@(...)" }`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,11 @@ class Attribute extends @attribute, AttributeBase {`
`15`	`15`
`16`	`16`	`NamedAttributeArgument getANamedArgument() { result = this.getNamedArgument(_) }`
`17`	`17`
	`18`	`+ int getNumberOfArguments() { result = count(this.getAPositionalArgument()) }`
	`19`	`+`
`18`	`20`	`Expr getPositionalArgument(int i) { attribute_positional_argument(this, i, result) }`
`19`	`21`
`20`	`22`	`Expr getAPositionalArgument() { result = this.getPositionalArgument(_) }`
	`23`	`+`
	`24`	`+ int getNumberOfPositionalArguments() { result = count(this.getAPositionalArgument()) }`
`21`	`25`	`}`