PS: Prevent bad magic by calling a HOP to compute the transitive closure.

MathiasVP · MathiasVP · commit 31fbb6fd55ef · 2025-06-19T22:11:25.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/Ast.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/Ast.qll
@@ -5,10 +5,12 @@ private import Scope
 class Ast extends @ast {
   final string toString() { none() }
 
+  pragma[nomagic]
   final Ast getParent() { result.getAChild() = this }
 
   Ast getChild(ChildIndex i) { none() }
 
+  pragma[nomagic]
   final Ast getAChild() { result = this.getChild(_) }
 
   Location getLocation() { none() }
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll
@@ -772,28 +772,33 @@ private module IteratorAccessSynth {
     // TODO: We could join on something other than the string if we wanted (i.e., the raw parameter).
     v.getPropertyName().toLowerCase() = result and
     result =
-      pb.getScriptBlock()
-          .getParamBlock()
-          .getAPipelineByPropertyNameParameter()
-          .getLowerCaseName()
+      pb.getScriptBlock().getParamBlock().getAPipelineByPropertyNameParameter().getLowerCaseName()
   }
 
+  private Raw::Ast getParent(Raw::Ast a) { a.getParent() = result }
+
+  private predicate isVarAccess(Raw::VarAccess va) { any() }
+
+  private predicate isProcessBlock(Raw::ProcessBlock pb) { any() }
+
+  private Raw::ProcessBlock getProcessBlock(Raw::VarAccess va) =
+    doublyBoundedFastTC(getParent/1, isVarAccess/1, isProcessBlock/1)(va, result)
+
   private class IteratorAccessSynth extends Synthesis {
     final override predicate isRelevant(Raw::Ast a) {
-      exists(Raw::ProcessBlock pb, Raw::VarAccess va |
-        va = a and
-        pb = va.getParent+()
-      |
+      exists(Raw::VarAccess va | va = a |
         va.getUserPath() = "_"
         or
-        va.getUserPath().toLowerCase() =
-          pb.getScriptBlock().getParamBlock().getPipelineParameter().getLowerCaseName()
-        or
-        va.getUserPath().toLowerCase() =
-          pb.getScriptBlock()
-              .getParamBlock()
-              .getAPipelineByPropertyNameParameter()
-              .getLowerCaseName()
+        exists(Raw::ProcessBlock pb | pb = getProcessBlock(va) |
+          va.getUserPath().toLowerCase() =
+            pb.getScriptBlock().getParamBlock().getPipelineParameter().getLowerCaseName()
+          or
+          va.getUserPath().toLowerCase() =
+            pb.getScriptBlock()
+                .getParamBlock()
+                .getAPipelineByPropertyNameParameter()
+                .getLowerCaseName()
+        )
       )
     }
 
@@ -811,7 +816,7 @@ private module IteratorAccessSynth {
 
     private PipelineOrPipelineByPropertyNameIteratorVariable varAccess(Raw::VarAccess va) {
       exists(Raw::ProcessBlock pb |
-        pb = va.getParent+() and
+        pb = getProcessBlock(va) and
         result = TVariableSynth(pb, _) and
         va.getUserPath().toLowerCase() = getAPipelineIteratorName(pb, result)
       )
