Merge pull request #128 from microsoft/powershell-taint-through-operations

PS: Taint through operations

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/BinaryExpression.qll

@@ -5,6 +5,22 @@ class BinaryExpr extends @binary_expression, Expr {
 
   int getKind() { binary_expression(this, result, _, _) }
 
+  /** Gets an operand of this binary expression. */
+  Expr getAnOperand() {
+    result = this.getLeft()
+    or
+    result = this.getRight()
+  }
+
+  /** Holds if this binary expression has the operands `e1` and `e2`. */
+  predicate hasOperands(Expr e1, Expr e2) {
+    e1 = this.getLeft() and
+    e2 = this.getRight()
+    or
+    e1 = this.getRight() and
+    e2 = this.getLeft()
+  }
+
   Expr getLeft() { binary_expression(this, _, result, _) }
 
   Expr getRight() { binary_expression(this, _, _, result) }

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -519,6 +519,50 @@ module ExprNodes {
 
     final StmtCfgNode getBase() { e.hasCfgChild(e.getBase(), this, result) }
   }
+
+  class UnaryExprChildMapping extends ExprChildMapping, UnaryExpr {
+    override predicate relevantChild(Ast n) { n = this.getOperand() }
+  }
+
+  class UnaryCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "UnaryExprCfgNode" }
+
+    override UnaryExprChildMapping e;
+
+    override UnaryExpr getExpr() { result = e }
+
+    final ExprCfgNode getOperand() { e.hasCfgChild(e.getOperand(), this, result) }
+  }
+
+  class BinaryExprChildMapping extends ExprChildMapping, BinaryExpr {
+    override predicate relevantChild(Ast n) { n = this.getLeft() or n = this.getRight() }
+  }
+
+  class BinaryCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "BinaryExprCfgNode" }
+
+    override BinaryExprChildMapping e;
+
+    override BinaryExpr getExpr() { result = e }
+
+    final ExprCfgNode getLeft() { e.hasCfgChild(e.getLeft(), this, result) }
+
+    final ExprCfgNode getRight() { e.hasCfgChild(e.getRight(), this, result) }
+  }
+
+  class OperationChildMapping extends ExprChildMapping instanceof Operation {
+    override predicate relevantChild(Ast n) { n = super.getAnOperand() }
+  }
+
+  class OperationCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "OperationCfgNode" }
+
+    override OperationChildMapping e;
+
+    override Operation getExpr() { result = e }
+
+    final ExprCfgNode getAnOperand() { e.hasCfgChild(this.getExpr().getAnOperand(), this, result) }
+  }
 }
 
 module StmtNodes {

powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll

@@ -33,17 +33,22 @@ private module Cached {
    */
   cached
   predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
-    // Although flow through collections is modeled precisely using stores/reads, we still
-    // allow flow out of a _tainted_ collection. This is needed in order to support taint-
-    // tracking configurations where the source is a collection.
-    exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
-      c.isSingleton(any(DataFlow::Content::ElementContent ec))
+    (
+      exists(CfgNodes::ExprNodes::OperationCfgNode op |
+        op = nodeTo.asExpr() and
+        op.getAnOperand() = nodeFrom.asExpr()
+      )
       or
-      c.isKnownOrUnknownElement(_)
-      // or
-      // TODO: We do't generate this one from readSteps yet, but we will as
-      // soon as we start on models-as-data.
-      // c.isAnyElement()
+      // Although flow through collections is modeled precisely using stores/reads, we still
+      // allow flow out of a _tainted_ collection. This is needed in order to support taint-
+      // tracking configurations where the source is a collection.
+      exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
+        c.isSingleton(any(DataFlow::Content::ElementContent ec))
+        or
+        c.isKnownOrUnknownElement(_)
+        or
+        c.isAnyElement()
+      )
     ) and
     model = ""
   }

powershell/ql/lib/semmle/code/powershell/internal/Internal.qll

@@ -2,10 +2,12 @@ module Private {
   import Parameter::Private
   import ExplicitWrite::Private
   import Argument::Private
+  import Operation::Private
 }
 
 module Public {
   import Parameter::Public
   import ExplicitWrite::Public
   import Argument::Public
+  import Operation::Public
 }

powershell/ql/lib/semmle/code/powershell/internal/Operation.qll

@@ -0,0 +1,31 @@
+import powershell
+
+module Private {
+  abstract private class AbstractOperation extends Expr {
+    abstract Expr getAnOperand();
+
+    abstract int getKind();
+  }
+
+  class BinaryOperation extends BinaryExpr, AbstractOperation {
+    final override Expr getAnOperand() { result = BinaryExpr.super.getAnOperand() }
+
+    final override int getKind() { result = BinaryExpr.super.getKind() }
+  }
+
+  class UnaryOperation extends UnaryExpr, AbstractOperation {
+    final override Expr getAnOperand() { result = UnaryExpr.super.getOperand() }
+
+    final override int getKind() { result = UnaryExpr.super.getKind() }
+  }
+
+  final class Operation = AbstractOperation;
+}
+
+module Public {
+  class Operation = Private::Operation;
+
+  class BinaryOperation = Private::BinaryOperation;
+
+  class UnaryOperation = Private::UnaryOperation;
+}

powershell/ql/test/library-tests/dataflow/local/test.expected renamed to powershell/ql/test/library-tests/dataflow/local/flow.expected

@@ -3,7 +3,7 @@
 | test.ps1:1:7:1:13 | Source | test.ps1:1:1:1:13 | ...=... |
 | test.ps1:2:1:2:9 | Sink | test.ps1:2:1:2:9 | pre-return value for Sink |
 | test.ps1:2:1:2:9 | Sink | test.ps1:2:1:2:9 | pre-return value for Sink |
-| test.ps1:2:1:2:9 | implicit unwrapping of Sink | test.ps1:1:1:14:8 | return value for test.ps1 |
+| test.ps1:2:1:2:9 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
 | test.ps1:2:1:2:9 | pre-return value for Sink | test.ps1:2:1:2:9 | implicit unwrapping of Sink |
 | test.ps1:4:1:4:3 | b | test.ps1:5:4:5:6 | b |
 | test.ps1:4:6:4:13 | GetBool | test.ps1:4:1:4:3 | b |
@@ -14,7 +14,7 @@
 | test.ps1:6:11:6:17 | Source | test.ps1:6:5:6:17 | ...=... |
 | test.ps1:8:1:8:9 | Sink | test.ps1:8:1:8:9 | pre-return value for Sink |
 | test.ps1:8:1:8:9 | Sink | test.ps1:8:1:8:9 | pre-return value for Sink |
-| test.ps1:8:1:8:9 | implicit unwrapping of Sink | test.ps1:1:1:14:8 | return value for test.ps1 |
+| test.ps1:8:1:8:9 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
 | test.ps1:8:1:8:9 | pre-return value for Sink | test.ps1:8:1:8:9 | implicit unwrapping of Sink |
 | test.ps1:10:1:10:3 | c | test.ps1:11:6:11:8 | c |
 | test.ps1:10:6:10:16 | [...]... | test.ps1:10:1:10:3 | c |
@@ -23,7 +23,7 @@
 | test.ps1:10:14:10:16 | b | test.ps1:10:6:10:16 | [...]... |
 | test.ps1:11:1:11:8 | Sink | test.ps1:11:1:11:8 | pre-return value for Sink |
 | test.ps1:11:1:11:8 | Sink | test.ps1:11:1:11:8 | pre-return value for Sink |
-| test.ps1:11:1:11:8 | implicit unwrapping of Sink | test.ps1:1:1:14:8 | return value for test.ps1 |
+| test.ps1:11:1:11:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
 | test.ps1:11:1:11:8 | pre-return value for Sink | test.ps1:11:1:11:8 | implicit unwrapping of Sink |
 | test.ps1:11:6:11:8 | [post] c | test.ps1:13:7:13:9 | c |
 | test.ps1:11:6:11:8 | c | test.ps1:13:7:13:9 | c |
@@ -35,5 +35,15 @@
 | test.ps1:13:7:13:9 | c | test.ps1:13:7:13:9 | c |
 | test.ps1:14:1:14:8 | Sink | test.ps1:14:1:14:8 | pre-return value for Sink |
 | test.ps1:14:1:14:8 | Sink | test.ps1:14:1:14:8 | pre-return value for Sink |
-| test.ps1:14:1:14:8 | implicit unwrapping of Sink | test.ps1:1:1:14:8 | return value for test.ps1 |
+| test.ps1:14:1:14:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
 | test.ps1:14:1:14:8 | pre-return value for Sink | test.ps1:14:1:14:8 | implicit unwrapping of Sink |
+| test.ps1:14:6:14:8 | [post] d | test.ps1:16:6:16:8 | d |
+| test.ps1:14:6:14:8 | d | test.ps1:16:6:16:8 | d |
+| test.ps1:16:1:16:3 | e | test.ps1:17:6:17:8 | e |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:1:16:3 | e |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:1:16:12 | ...=... |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:6:16:12 | ...+... |
+| test.ps1:17:1:17:8 | Sink | test.ps1:17:1:17:8 | pre-return value for Sink |
+| test.ps1:17:1:17:8 | Sink | test.ps1:17:1:17:8 | pre-return value for Sink |
+| test.ps1:17:1:17:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:17:1:17:8 | pre-return value for Sink | test.ps1:17:1:17:8 | implicit unwrapping of Sink |

powershell/ql/test/library-tests/dataflow/local/test.ql renamed to powershell/ql/test/library-tests/dataflow/local/flow.ql

@@ -0,0 +1,56 @@
+| test.ps1:1:1:1:4 | a1 | test.ps1:2:6:2:9 | a1 |
+| test.ps1:1:7:1:13 | Source | test.ps1:1:1:1:4 | a1 |
+| test.ps1:1:7:1:13 | Source | test.ps1:1:1:1:13 | ...=... |
+| test.ps1:2:1:2:9 | Sink | test.ps1:2:1:2:9 | pre-return value for Sink |
+| test.ps1:2:1:2:9 | Sink | test.ps1:2:1:2:9 | pre-return value for Sink |
+| test.ps1:2:1:2:9 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:2:1:2:9 | pre-return value for Sink | test.ps1:2:1:2:9 | implicit unwrapping of Sink |
+| test.ps1:2:1:2:9 | pre-return value for Sink | test.ps1:2:1:2:9 | implicit unwrapping of Sink |
+| test.ps1:4:1:4:3 | b | test.ps1:5:4:5:6 | b |
+| test.ps1:4:6:4:13 | GetBool | test.ps1:4:1:4:3 | b |
+| test.ps1:4:6:4:13 | GetBool | test.ps1:4:1:4:13 | ...=... |
+| test.ps1:5:4:5:6 | b | test.ps1:10:14:10:16 | b |
+| test.ps1:6:5:6:8 | a2 | test.ps1:8:6:8:9 | a2 |
+| test.ps1:6:11:6:17 | Source | test.ps1:6:5:6:8 | a2 |
+| test.ps1:6:11:6:17 | Source | test.ps1:6:5:6:17 | ...=... |
+| test.ps1:8:1:8:9 | Sink | test.ps1:8:1:8:9 | pre-return value for Sink |
+| test.ps1:8:1:8:9 | Sink | test.ps1:8:1:8:9 | pre-return value for Sink |
+| test.ps1:8:1:8:9 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:8:1:8:9 | pre-return value for Sink | test.ps1:8:1:8:9 | implicit unwrapping of Sink |
+| test.ps1:8:1:8:9 | pre-return value for Sink | test.ps1:8:1:8:9 | implicit unwrapping of Sink |
+| test.ps1:10:1:10:3 | c | test.ps1:11:6:11:8 | c |
+| test.ps1:10:6:10:16 | [...]... | test.ps1:10:1:10:3 | c |
+| test.ps1:10:6:10:16 | [...]... | test.ps1:10:1:10:16 | ...=... |
+| test.ps1:10:6:10:16 | [...]... | test.ps1:10:6:10:16 | [...]... |
+| test.ps1:10:14:10:16 | b | test.ps1:10:6:10:16 | [...]... |
+| test.ps1:11:1:11:8 | Sink | test.ps1:11:1:11:8 | pre-return value for Sink |
+| test.ps1:11:1:11:8 | Sink | test.ps1:11:1:11:8 | pre-return value for Sink |
+| test.ps1:11:1:11:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:11:1:11:8 | pre-return value for Sink | test.ps1:11:1:11:8 | implicit unwrapping of Sink |
+| test.ps1:11:1:11:8 | pre-return value for Sink | test.ps1:11:1:11:8 | implicit unwrapping of Sink |
+| test.ps1:11:6:11:8 | [post] c | test.ps1:13:7:13:9 | c |
+| test.ps1:11:6:11:8 | c | test.ps1:13:7:13:9 | c |
+| test.ps1:13:1:13:3 | d | test.ps1:14:6:14:8 | d |
+| test.ps1:13:6:13:10 | (...) | test.ps1:13:1:13:3 | d |
+| test.ps1:13:6:13:10 | (...) | test.ps1:13:1:13:10 | ...=... |
+| test.ps1:13:6:13:10 | (...) | test.ps1:13:6:13:10 | (...) |
+| test.ps1:13:7:13:9 | c | test.ps1:13:6:13:10 | (...) |
+| test.ps1:13:7:13:9 | c | test.ps1:13:7:13:9 | c |
+| test.ps1:14:1:14:8 | Sink | test.ps1:14:1:14:8 | pre-return value for Sink |
+| test.ps1:14:1:14:8 | Sink | test.ps1:14:1:14:8 | pre-return value for Sink |
+| test.ps1:14:1:14:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:14:1:14:8 | pre-return value for Sink | test.ps1:14:1:14:8 | implicit unwrapping of Sink |
+| test.ps1:14:1:14:8 | pre-return value for Sink | test.ps1:14:1:14:8 | implicit unwrapping of Sink |
+| test.ps1:14:6:14:8 | [post] d | test.ps1:16:6:16:8 | d |
+| test.ps1:14:6:14:8 | d | test.ps1:16:6:16:8 | d |
+| test.ps1:16:1:16:3 | e | test.ps1:17:6:17:8 | e |
+| test.ps1:16:6:16:8 | d | test.ps1:16:6:16:12 | ...+... |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:1:16:3 | e |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:1:16:12 | ...=... |
+| test.ps1:16:6:16:12 | ...+... | test.ps1:16:6:16:12 | ...+... |
+| test.ps1:16:11:16:12 | 1 | test.ps1:16:6:16:12 | ...+... |
+| test.ps1:17:1:17:8 | Sink | test.ps1:17:1:17:8 | pre-return value for Sink |
+| test.ps1:17:1:17:8 | Sink | test.ps1:17:1:17:8 | pre-return value for Sink |
+| test.ps1:17:1:17:8 | implicit unwrapping of Sink | test.ps1:1:1:17:8 | return value for test.ps1 |
+| test.ps1:17:1:17:8 | pre-return value for Sink | test.ps1:17:1:17:8 | implicit unwrapping of Sink |
+| test.ps1:17:1:17:8 | pre-return value for Sink | test.ps1:17:1:17:8 | implicit unwrapping of Sink |

powershell/ql/test/library-tests/dataflow/local/taint.expected

@@ -0,0 +1,7 @@
+import powershell
+import semmle.code.powershell.dataflow.TaintTracking
+import semmle.code.powershell.dataflow.DataFlow
+
+from DataFlow::Node pred, DataFlow::Node succ
+where TaintTracking::localTaintStep(pred, succ)
+select pred, succ

powershell/ql/test/library-tests/dataflow/local/taint.ql

@@ -11,4 +11,7 @@ $c = [string]$b
 Sink $c
 
 $d = ($c)
-Sink $d
+Sink $d
+
+$e = $d + 1
+Sink $e