Skip to content

Commit 419de4f

Browse files
chanel-ychanel-y
authored
Merge pull request #196 from microsoft/autogenerate-lots-of-models
PS: Add autogenerated summary models
2 parents 89ddb30 + b55ee68 commit 419de4f

File tree

1,079 files changed

+125597
-119912
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,079 files changed

+125597
-119912
lines changed

powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll

Lines changed: 45 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ private import semmle.code.powershell.dataflow.DataFlow
1010
private import semmle.code.powershell.typetracking.ApiGraphShared
1111
private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
1212
private import semmle.code.powershell.controlflow.Cfg
13+
private import frameworks.data.internal.ApiGraphModelsExtensions as Extensions
14+
private import frameworks.data.internal.ApiGraphModelsSpecific as Specific
1315
private import semmle.code.powershell.dataflow.internal.DataFlowPrivate as DataFlowPrivate
1416
private import semmle.code.powershell.dataflow.internal.DataFlowDispatch as DataFlowDispatch
1517

@@ -514,12 +516,48 @@ module API {
514516
)
515517
}
516518

519+
bindingset[name]
520+
private string memberOrMethodReturnValue(string name) {
521+
// This predicate is a bit ad-hoc, but it's okay for now.
522+
// We can delete it once we no longer use the typeModel and summaryModel
523+
// tables to represent implicit root members.
524+
result = "Method[" + name + "]"
525+
or
526+
result = "Method[" + name + "].ReturnValue"
527+
or
528+
result = "Member[" + name + "]"
529+
}
530+
531+
private Node getAnImplicitRootMember(string name) {
532+
exists(DataFlow::CallNode call |
533+
Extensions::typeModel(_, Specific::getAnImplicitImport(), memberOrMethodReturnValue(name))
534+
or
535+
Extensions::summaryModel(Specific::getAnImplicitImport(), memberOrMethodReturnValue(name),
536+
_, _, _, _)
537+
or
538+
Extensions::sourceModel(Specific::getAnImplicitImport(), memberOrMethodReturnValue(name), _,
539+
_)
540+
|
541+
result = MkMethodAccessNode(call) and
542+
name = call.getName().toLowerCase()
543+
)
544+
}
545+
517546
cached
518547
predicate memberEdge(Node pred, string name, Node succ) {
519-
exists(StringConstExpr read |
520-
succ = getForwardStartNode(getNodeFromExpr(read)) and
521-
pred = MkRoot() and
522-
name = read.getValueString()
548+
pred = API::root() and
549+
(
550+
exists(StringConstExpr read |
551+
succ = getForwardStartNode(getNodeFromExpr(read)) and
552+
name = read.getValueString()
553+
)
554+
or
555+
exists(DataFlow::AutomaticVariableNode automatic |
556+
automatic.getName() = name and
557+
succ = getForwardStartNode(automatic)
558+
)
559+
or
560+
succ = getAnImplicitRootMember(name)
523561
)
524562
or
525563
exists(DataFlow::QualifiedTypeNameNode typeName |
@@ -528,12 +566,6 @@ module API {
528566
succ = getForwardStartNode(typeName)
529567
)
530568
or
531-
pred = MkRoot() and
532-
exists(DataFlow::AutomaticVariableNode automatic |
533-
automatic.getName() = name and
534-
succ = getForwardStartNode(automatic)
535-
)
536-
or
537569
exists(MemberExprReadAccess read |
538570
read.getMemberName().toLowerCase() = name and
539571
pred = getForwardEndNode(getALocalSourceStrict(getNodeFromExpr(read.getQualifier()))) and
@@ -548,6 +580,9 @@ module API {
548580
|
549581
pred = getForwardEndNode(getALocalSourceStrict(call.getQualifier()))
550582
)
583+
or
584+
pred = API::root() and
585+
succ = getAnImplicitRootMember(name)
551586
}
552587

553588
cached

powershell/ql/lib/semmle/code/powershell/ast/internal/InvokeMemberExpression.qll

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,3 +72,14 @@ class ConstructorCall extends InvokeMemberExpr {
7272
/** Gets the name of the type being constructed by this constructor call. */
7373
string getConstructedTypeName() { result = typename.getName() }
7474
}
75+
76+
/**
77+
* A call to a `toString` method. For example:
78+
*
79+
* ```powershell
80+
* $x.ToString()
81+
* ```
82+
*/
83+
class ToStringCall extends InvokeMemberExpr {
84+
ToStringCall() { this.getName().toLowerCase() = "toString" }
85+
}

powershell/ql/lib/semmle/code/powershell/ast/internal/Pipeline.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,11 @@ class Pipeline extends Expr, TPipeline {
2828
Expr getAComponent() { result = this.getComponent(_) }
2929

3030
int getNumberOfComponents() { result = getRawAst(this).(Raw::Pipeline).getNumberOfComponents() }
31+
32+
Expr getLastComponent() {
33+
exists(int i |
34+
result = this.getComponent(i) and
35+
not exists(this.getComponent(i + 1))
36+
)
37+
}
3138
}

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -587,7 +587,7 @@ module ExprNodes {
587587
}
588588

589589
private class CallOperatorChildMapping extends CallExprChildMapping instanceof CallOperator {
590-
override predicate relevantChild(Ast child) { none() }
590+
override predicate relevantChild(Ast child) { super.relevantChild(child) }
591591
}
592592

593593
class CallOperatorCfgNode extends CallExprCfgNode {
@@ -600,6 +600,18 @@ module ExprNodes {
600600
ExprCfgNode getCommand() { result = this.getArgument(0) }
601601
}
602602

603+
private class ToStringCallChildmapping extends CallExprChildMapping instanceof ToStringCall {
604+
override predicate relevantChild(Ast child) { super.relevantChild(child) }
605+
}
606+
607+
class ToStringCallCfgNode extends CallExprCfgNode {
608+
override string getAPrimaryQlClass() { result = "ToStringCallCfgNode" }
609+
610+
override ToStringCallChildmapping e;
611+
612+
override ToStringCall getExpr() { result = e }
613+
}
614+
603615
private class MemberExprChildMapping extends ExprChildMapping, MemberExpr {
604616
override predicate relevantChild(Ast child) {
605617
child = this.getQualifier()
@@ -847,6 +859,8 @@ module ExprNodes {
847859
ExprCfgNode getComponent(int i) { e.hasCfgChild(e.getComponent(i), this, result) }
848860

849861
ExprCfgNode getAComponent() { result = this.getComponent(_) }
862+
863+
ExprCfgNode getLastComponent() { e.hasCfgChild(e.getLastComponent(), this, result) }
850864
}
851865

852866
private class PipelineChainChildMapping extends ExprChildMapping, PipelineChain {

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,8 @@ module LocalFlow {
140140
or
141141
nodeFrom.asExpr() = nodeTo.asExpr().(CfgNodes::ExprNodes::ArrayExprCfgNode)
142142
or
143+
nodeTo.asExpr().(CfgNodes::ExprNodes::PipelineCfgNode).getLastComponent() = nodeFrom.asExpr()
144+
or
143145
exists(CfgNodes::ExprCfgNode e |
144146
e = nodeFrom.(AstNode).getCfgNode() and
145147
isReturned(e) and

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -534,6 +534,13 @@ class CallOperatorNode extends CallNode {
534534
Node getCommand() { result.asExpr() = call.getCommand() } // TODO: Alternatively, we could remap calls to & as command expressions.
535535
}
536536

537+
/**
538+
* A call to `ToString`, viewed as a node in a data flow graph.
539+
*/
540+
class ToStringCallNode extends CallNode {
541+
override CfgNodes::ExprNodes::ToStringCallCfgNode call;
542+
}
543+
537544
/** A use of a type name, viewed as a node in a data flow graph. */
538545
class TypeNameNode extends ExprNode {
539546
override CfgNodes::ExprNodes::TypeNameExprCfgNode n;

powershell/ql/lib/semmle/code/powershell/dataflow/internal/FlowSummaryImpl.qll

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,16 @@ module Input implements InputSig<Location, DataFlowImplSpecific::PowershellDataF
3535
or
3636
pos.isThis() and
3737
result = "this"
38+
or
39+
pos.isPipeline() and
40+
result = "pipeline"
3841
}
3942

4043
string encodeArgumentPosition(ArgumentPosition pos) {
4144
pos.isThis() and result = "this"
4245
or
46+
pos.isPipeline() and result = "pipeline"
47+
or
4348
exists(int i |
4449
pos.isPositional(i, emptyNamedSet()) and
4550
result = i.toString()
@@ -52,20 +57,20 @@ module Input implements InputSig<Location, DataFlowImplSpecific::PowershellDataF
5257
}
5358

5459
string encodeContent(ContentSet cs, string arg) {
55-
exists(Content c | cs = TSingletonContentSet(c) |
60+
exists(Content c | cs.isSingleton(c) |
5661
c = TFieldContent(arg) and result = "Field"
5762
or
5863
exists(ConstantValue cv | c = TKnownKeyContent(cv) or c = TKnownPositionalContent(cv) |
5964
result = "Element" and
6065
arg = cv.serialize() + "!"
6166
)
62-
or
63-
(c = TUnknownPositionalContent() or c = TUnknownKeyContent()) and
64-
result = "Element" and
65-
arg = "?"
6667
)
6768
or
68-
cs = TAnyElementContentSet() and result = "Element" and arg = "any"
69+
cs.isAnyPositional() and result = "Element" and arg = "?"
70+
or
71+
cs.isUnknownKeyContent() and result = "Element" and arg = "#"
72+
or
73+
cs.isAnyElement() and result = "Element" and arg = "any"
6974
or
7075
exists(Content::KnownElementContent kec |
7176
cs = TKnownOrUnknownKeyContentSet(kec) or cs = TKnownOrUnknownPositionalContentSet(kec)

powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ private module Cached {
5757
or
5858
c.isAnyElement()
5959
)
60+
or
61+
nodeTo.(DataFlow::ToStringCallNode).getQualifier() = nodeFrom
6062
) and
6163
model = ""
6264
or

powershell/ql/lib/semmle/code/powershell/frameworks/Accessibility/model.yml

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -3,25 +3,25 @@ extensions:
33
pack: microsoft-sdl/powershell-all
44
extensible: typeModel
55
data:
6-
- ["System.String", "Accessibility.IAccessible", "Property[accHelp]"]
7-
- ["System.Object", "Accessibility.IAccessible", "Method[accHitTest].ReturnValue"]
8-
- ["System.Int32", "Accessibility._RemotableHandle", "Field[fContext]"]
9-
- ["System.Int32", "Accessibility.IAccessible", "Property[accChildCount]"]
10-
- ["System.Object", "Accessibility.IAccessible", "Property[accState]"]
11-
- ["Accessibility.AnnoScope", "Accessibility.AnnoScope!", "Field[ANNO_THIS]"]
12-
- ["System.Int32", "Accessibility.__MIDL_IWinTypes_0009", "Field[hRemote]"]
13-
- ["System.Object", "Accessibility.IAccessible", "Property[accParent]"]
14-
- ["System.Object", "Accessibility.IAccessible", "Property[accRole]"]
15-
- ["System.Object", "Accessibility.IAccessible", "Property[accChild]"]
16-
- ["System.String", "Accessibility.IAccessible", "Property[accKeyboardShortcut]"]
17-
- ["System.Object", "Accessibility.IAccessible", "Property[accSelection]"]
18-
- ["System.Int32", "Accessibility.IAccessible", "Property[accHelpTopic]"]
19-
- ["System.String", "Accessibility.IAccessible", "Property[accDescription]"]
20-
- ["System.String", "Accessibility.IAccessible", "Property[accDefaultAction]"]
21-
- ["System.Object", "Accessibility.IAccessible", "Property[accFocus]"]
22-
- ["Accessibility.__MIDL_IWinTypes_0009", "Accessibility._RemotableHandle", "Field[u]"]
23-
- ["System.String", "Accessibility.IAccessible", "Property[accValue]"]
24-
- ["System.Int32", "Accessibility.__MIDL_IWinTypes_0009", "Field[hInproc]"]
25-
- ["System.String", "Accessibility.IAccessible", "Property[accName]"]
26-
- ["Accessibility.AnnoScope", "Accessibility.AnnoScope!", "Field[ANNO_CONTAINER]"]
27-
- ["System.Object", "Accessibility.IAccessible", "Method[accNavigate].ReturnValue"]
6+
- ["system.string", "accessibility.iaccessible", "Property[acchelp]"]
7+
- ["system.object", "accessibility.iaccessible", "Method[acchittest].ReturnValue"]
8+
- ["system.int32", "accessibility._remotablehandle", "Field[fcontext]"]
9+
- ["system.int32", "accessibility.iaccessible", "Property[accchildcount]"]
10+
- ["system.object", "accessibility.iaccessible", "Property[accstate]"]
11+
- ["accessibility.annoscope", "accessibility.annoscope!", "Field[anno_this]"]
12+
- ["system.int32", "accessibility.__midl_iwintypes_0009", "Field[hremote]"]
13+
- ["system.object", "accessibility.iaccessible", "Property[accparent]"]
14+
- ["system.object", "accessibility.iaccessible", "Property[accrole]"]
15+
- ["system.object", "accessibility.iaccessible", "Property[accchild]"]
16+
- ["system.string", "accessibility.iaccessible", "Property[acckeyboardshortcut]"]
17+
- ["system.object", "accessibility.iaccessible", "Property[accselection]"]
18+
- ["system.int32", "accessibility.iaccessible", "Property[acchelptopic]"]
19+
- ["system.string", "accessibility.iaccessible", "Property[accdescription]"]
20+
- ["system.string", "accessibility.iaccessible", "Property[accdefaultaction]"]
21+
- ["system.object", "accessibility.iaccessible", "Property[accfocus]"]
22+
- ["accessibility.__midl_iwintypes_0009", "accessibility._remotablehandle", "Field[u]"]
23+
- ["system.string", "accessibility.iaccessible", "Property[accvalue]"]
24+
- ["system.int32", "accessibility.__midl_iwintypes_0009", "Field[hinproc]"]
25+
- ["system.string", "accessibility.iaccessible", "Property[accname]"]
26+
- ["accessibility.annoscope", "accessibility.annoscope!", "Field[anno_container]"]
27+
- ["system.object", "accessibility.iaccessible", "Method[accnavigate].ReturnValue"]

powershell/ql/lib/semmle/code/powershell/frameworks/IEHostExecute/model.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ extensions:
33
pack: microsoft-sdl/powershell-all
44
extensible: typeModel
55
data:
6-
- ["System.Int32", "IEHost.Execute.IEExecuteRemote", "Method[ExecuteAsDll].ReturnValue"]
7-
- ["System.IO.Stream", "IEHost.Execute.IEExecuteRemote", "Property[Exception]"]
8-
- ["System.Object", "IEHost.Execute.IEExecuteRemote", "Method[InitializeLifetimeService].ReturnValue"]
9-
- ["System.Int32", "IEHost.Execute.IEExecuteRemote", "Method[ExecuteAsAssembly].ReturnValue"]
6+
- ["system.int32", "iehost.execute.ieexecuteremote", "Method[executeasdll].ReturnValue"]
7+
- ["system.io.stream", "iehost.execute.ieexecuteremote", "Property[exception]"]
8+
- ["system.object", "iehost.execute.ieexecuteremote", "Method[initializelifetimeservice].ReturnValue"]
9+
- ["system.int32", "iehost.execute.ieexecuteremote", "Method[executeasassembly].ReturnValue"]

0 commit comments

Comments
 (0)