PS: Dataflow additions to support api graphs.

MathiasVP · MathiasVP · commit 2ffbf179d87b · 2024-11-06T13:43:10.000Z
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -7,6 +7,7 @@ private import DataFlowPublic
 private import DataFlowDispatch
 private import SsaImpl as SsaImpl
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.powershell.frameworks.data.ModelsAsData
 
 /** Gets the callable in which this node occurs. */
 DataFlowCallable nodeGetEnclosingCallable(Node n) { result = n.(NodeImpl).getEnclosingCallable() }
@@ -199,6 +200,13 @@ private module Cached {
     TProcessNode(ProcessBlock process) or
     TProcessPropertyByNameNode(PipelineByPropertyNameIteratorVariable iter) {
       isProcessPropertyByNameNode(iter, _)
+    } or
+    TScriptBlockNode(ScriptBlock scriptBlock) or
+    TForbiddenRecursionGuard() {
+      none() and
+      // We want to prune irrelevant models before materialising data flow nodes, so types contributed
+      // directly from CodeQL must expose their pruning info without depending on data flow nodes.
+      (any(ModelInput::TypeModel tm).isTypeUsed("") implies any())
     }
 
   cached
@@ -1115,6 +1123,22 @@ private class ProcessPropertyByNameNode extends TProcessPropertyByNameNode, Node
   }
 }
 
+class ScriptBlockNode extends TScriptBlockNode, NodeImpl {
+  private ScriptBlock scriptBlock;
+
+  ScriptBlockNode() { this = TScriptBlockNode(scriptBlock) }
+
+  ScriptBlock getScriptBlock() { result = scriptBlock }
+
+  override CfgScope getCfgScope() { result = scriptBlock }
+
+  override Location getLocationImpl() { result = scriptBlock.getLocation() }
+
+  override string toStringImpl() { result = scriptBlock.toString() }
+
+  override predicate nodeIsHidden() { any() }
+}
+
 /** A node that performs a type cast. */
 class CastNode extends Node {
   CastNode() { none() }
@@ -1167,9 +1191,13 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
 
-predicate knownSourceModel(Node source, string model) { none() }
+predicate knownSourceModel(Node source, string model) {
+  source = ModelOutput::getASourceNode(_, model).asSource()
+}
 
-predicate knownSinkModel(Node sink, string model) { none() }
+predicate knownSinkModel(Node sink, string model) {
+  sink = ModelOutput::getASinkNode(_, model).asSink()
+}
 
 class DataFlowSecondLevelScope = Unit;
 
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -2,6 +2,7 @@ private import powershell
 private import DataFlowDispatch
 private import DataFlowPrivate
 private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
+private import semmle.code.powershell.ApiGraphs
 private import semmle.code.powershell.Cfg
 
 /**
@@ -95,11 +96,81 @@ class ParameterNode extends Node {
   final Parameter getParameter() { result = getParameter(this) }
 }
 
+/**
+ * A data flow node corresponding to a method, block, or lambda expression.
+ */
+class CallableNode extends Node instanceof ScriptBlockNode {
+  private ParameterPosition getParameterPosition(ParameterNodeImpl node) {
+    exists(DataFlowCallable c |
+      c.asCfgScope() = this.asCallableAstNode() and
+      result = getParameterPosition(node, c)
+    )
+  }
+
+  /** Gets the underlying AST node as a `Callable`. */
+  ScriptBlock asCallableAstNode() { result = super.getScriptBlock() }
+
+  /** Gets the `n`th positional parameter. */
+  ParameterNode getParameter(int n) {
+    this.getParameterPosition(result).isPositional(n, emptyNamedSet())
+  }
+
+  /** Gets the number of positional parameters of this callable. */
+  final int getNumberOfParameters() { result = count(this.getParameter(_)) }
+
+  /** Gets the keyword parameter of the given name. */
+  ParameterNode getKeywordParameter(string name) {
+    this.getParameterPosition(result).isKeyword(name)
+  }
+
+  /**
+   * Gets a data flow node whose value is about to be returned by this callable.
+   */
+  Node getAReturnNode() { result = getAReturnNode(this.asCallableAstNode()) }
+}
+
 /**
  * A data-flow node that is a source of local flow.
  */
 class LocalSourceNode extends Node {
   LocalSourceNode() { isLocalSourceNode(this) }
+
+  /** Starts tracking this node forward using API graphs. */
+  pragma[inline]
+  API::Node track() { result = API::Internal::getNodeForForwardTracking(this) }
+
+  /** Holds if this `LocalSourceNode` can flow to `nodeTo` in one or more local flow steps. */
+  pragma[inline]
+  predicate flowsTo(Node nodeTo) { flowsTo(this, nodeTo) }
+
+  /**
+   * Gets a node that this node may flow to using one heap and/or interprocedural step.
+   *
+   * See `TypeTracker` for more details about how to use this.
+   */
+  pragma[inline]
+  LocalSourceNode track(TypeTracker t2, TypeTracker t) { t = t2.step(this, result) }
+
+  /**
+   * Gets a node that may flow into this one using one heap and/or interprocedural step.
+   *
+   * See `TypeBackTracker` for more details about how to use this.
+   */
+  pragma[inline]
+  LocalSourceNode backtrack(TypeBackTracker t2, TypeBackTracker t) { t = t2.step(result, this) }
+
+  /**
+   * Gets a node to which data may flow from this node in zero or
+   * more local data-flow steps.
+   */
+  pragma[inline]
+  Node getALocalUse() { flowsTo(this, result) }
+
+  /** Gets a method call where this node flows to the receiver. */
+  CallNode getAMethodCall() { Cached::hasMethodCall(this, result, _) }
+
+  /** Gets a call to a method named `name`, where this node flows to the receiver. */
+  CallNode getAMethodCall(string name) { Cached::hasMethodCall(this, result, name) }
 }
 
 /**
@@ -361,6 +432,8 @@ class ObjectCreationNode extends Node {
   }
 
   final CfgNodes::ObjectCreationCfgNode getObjectCreationNode() { result = objectCreation }
+
+  string getConstructedTypeName() { result = this.getObjectCreationNode().getConstructedTypeName() }
 }
 
 /** A call, viewed as a node in a data flow graph. */
@@ -370,4 +443,10 @@ class CallNode extends AstNode {
   CallNode() { call = this.getCfgNode() }
 
   CfgNodes::CallCfgNode getCallNode() { result = call }
+
+  string getName() { result = call.getName() }
+
+  Node getQualifier() { result.asExpr() = call.getQualifier() }
+
+  int getNumberOfArguments() { result = call.getNumberOfArguments() }
 }
