Merge pull request #112 from microsoft/powershell-more-type-flow

PS: Add more type-tracking flow

Author: MathiasVP

powershell/ql/consistency-queries/TypeTrackingConsistency.ql

@@ -0,0 +1,8 @@
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
+
+private module ConsistencyChecksInput implements ConsistencyChecksInputSig {
+  predicate unreachableNodeExclude(DataFlow::Node n) { n instanceof DataFlow::PostUpdateNode }
+}
+
+import ConsistencyChecks<ConsistencyChecksInput>

powershell/ql/lib/powershell.qll

@@ -71,6 +71,7 @@ import semmle.code.powershell.StringConstantExpression
 import semmle.code.powershell.MemberExpr
 import semmle.code.powershell.InvokeMemberExpression
 import semmle.code.powershell.Call
+import semmle.code.powershell.ObjectCreation
 import semmle.code.powershell.SubExpression
 import semmle.code.powershell.ErrorExpr
 import semmle.code.powershell.ConvertExpr

powershell/ql/lib/semmle/code/powershell/Call.qll

@@ -12,6 +12,9 @@ abstract private class AbstractCall extends Ast {
   /** Gets the i'th positional argument to this call. */
   abstract Expr getPositionalArgument(int i);
 
+  /** Holds if an argument with name `name` is provided to this call. */
+  final predicate hasNamedArgument(string name) { exists(this.getNamedArgument(name)) }
+
   /** Gets the argument to this call with the name `name`. */
   abstract Expr getNamedArgument(string name);
 
@@ -25,7 +28,8 @@ abstract private class AbstractCall extends Ast {
   abstract Function getATarget();
 }
 
-private class CmdCall extends AbstractCall instanceof Cmd {
+/** A call to a command. For example, `Write-Host "Hello, world!"`. */
+class CmdCall extends AbstractCall instanceof Cmd {
   final override Expr getCommand() { result = Cmd.super.getCommand() }
 
   final override Expr getPositionalArgument(int i) { result = Cmd.super.getPositionalArgument(i) }
@@ -43,7 +47,8 @@ private class CmdCall extends AbstractCall instanceof Cmd {
   }
 }
 
-private class InvokeMemberCall extends AbstractCall instanceof InvokeMemberExpr {
+/** A call to a method on an object. For example, `$obj.ToString()`. */
+class MethodCall extends AbstractCall instanceof InvokeMemberExpr {
   final override Expr getCommand() { result = super.getMember() }
 
   final override Expr getPositionalArgument(int i) {

powershell/ql/lib/semmle/code/powershell/Command.qll

@@ -49,6 +49,9 @@ class Cmd extends @command, CmdBase {
       )
   }
 
+  /** Holds if this call has an argument named `name`. */
+  predicate hasNamedArgument(string name) { exists(this.getNamedArgument(name)) }
+
   /** Gets the named argument with the given name. */
   Expr getNamedArgument(string name) {
     exists(int i, CmdParameter p |

powershell/ql/lib/semmle/code/powershell/Function.qll

@@ -2,32 +2,58 @@ import powershell
 import semmle.code.powershell.controlflow.BasicBlocks
 
 abstract private class AbstractFunction extends Ast {
+  /** Gets the name of this function. */
   abstract string getName();
 
+  /** Holds if this function has name `name`. */
   final predicate hasName(string name) { this.getName() = name }
 
+  /** Gets the body of this function. */
   abstract ScriptBlock getBody();
 
+  /**
+   * Gets the i'th function parameter, if any.
+   *
+   * Note that this predicate only returns _function_ parameters.
+   * To also get _block_ parameters use the `getParameter` predicate.
+   */
   abstract Parameter getFunctionParameter(int i);
 
+  /** Gets the declaring type of this function, if any. */
+  abstract Type getDeclaringType();
+
+  /**
+   * Gets any function parameter of this function.
+   *
+   * Note that this only gets _function_ paramters. To get any parameter
+   * use the `getAParameter` predicate.
+   */
   final Parameter getAFunctionParameter() { result = this.getFunctionParameter(_) }
 
+  /** Gets the number of function parameters. */
   final int getNumberOfFunctionParameters() { result = count(this.getAFunctionParameter()) }
 
+  /** Gets the number of parameters (both function and block). */
   final int getNumberOfParameters() { result = count(this.getAParameter()) }
 
+  /** Gets the i'th parameter of this function, if any. */
   final Parameter getParameter(int i) {
     result = this.getFunctionParameter(i)
     or
     result = this.getBody().getParamBlock().getParameter(i)
   }
 
+  /** Gets any parameter of this function. */
   final Parameter getAParameter() { result = this.getParameter(_) }
 
+  /** Gets the entry point of this function in the control-flow graph. */
   EntryBasicBlock getEntryBasicBlock() { result.getScope() = this.getBody() }
 }
 
-class NonMemberFunction extends @function_definition, Stmt, AbstractFunction {
+/**
+ * A function definition.
+ */
+private class FunctionBase extends @function_definition, Stmt, AbstractFunction {
   override string toString() { result = this.getName() }
 
   override SourceLocation getLocation() { function_definition_location(this, result) }
@@ -41,34 +67,32 @@ class NonMemberFunction extends @function_definition, Stmt, AbstractFunction {
   predicate isWorkflow() { function_definition(this, _, _, _, true) }
 
   override Parameter getFunctionParameter(int i) { result.isFunctionParameter(this, i) }
-}
-
-class MemberFunction extends @function_member, Member, AbstractFunction {
-  override string getName() { function_member(this, _, _, _, _, _, _, result, _) }
-
-  override SourceLocation getLocation() { function_member_location(this, result) }
-
-  override string toString() { result = this.getName() }
 
-  override ScriptBlock getBody() { function_member(this, result, _, _, _, _, _, _, _) }
-
-  override predicate isHidden() { function_member(this, _, _, true, _, _, _, _, _) }
-
-  override predicate isPrivate() { function_member(this, _, _, _, true, _, _, _, _) }
+  override Type getDeclaringType() { none() }
+}
 
-  override predicate isPublic() { function_member(this, _, _, _, _, true, _, _, _) }
+private predicate isMethod(Member m, ScriptBlock body) {
+  function_member(m, body, _, _, _, _, _, _, _)
+}
 
-  override predicate isStatic() { function_member(this, _, _, _, _, _, true, _, _) }
+/**
+ * A method definition. That is, a function defined inside a class definition.
+ */
+class Method extends FunctionBase {
+  Method() { isMethod(_, super.getBody()) }
 
-  predicate isConstructor() { function_member(this, _, true, _, _, _, _, _, _) }
+  /** Gets the member corresponding to this function definition. */
+  Member getMember() { isMethod(result, super.getBody()) }
 
-  override Parameter getFunctionParameter(int i) { result.isFunctionParameter(this, i) }
+  /** Holds if this method is a constructor. */
+  predicate isConstructor() { function_member(this.getMember(), _, true, _, _, _, _, _, _) }
 
-  TypeConstraint getTypeConstraint() { function_member_return_type(this, result) }
+  final override Type getDeclaringType() { result = this.getMember().getDeclaringType() }
 }
 
-class Constructor extends MemberFunction {
+/** A constructor definition. */
+class Constructor extends Method {
   Constructor() { this.isConstructor() }
 }
 
-final class Function = AbstractFunction;
+final class Function = FunctionBase;

powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll

@@ -18,8 +18,30 @@ class InvokeMemberExpr extends @invoke_member_expression, MemberExprBase {
   override predicate isStatic() { this.getQualifier() instanceof TypeNameExpr }
 }
 
+/**
+ * A call to a constructor. For example:
+ *
+ * ```powershell
+ * [System.IO.FileInfo]::new("C:\\file.txt")
+ * ```
+ */
 class ConstructorCall extends InvokeMemberExpr {
-  ConstructorCall() { this.isStatic() and this.getName() = "new" }
-
-  Type getConstructedType() { result = this.getQualifier().(TypeNameExpr).getType() }
+  TypeNameExpr typename;
+
+  ConstructorCall() {
+    this.isStatic() and typename = this.getQualifier() and this.getName() = "new"
+  }
+
+  /**
+   * Gets the type being constructed by this constructor call.
+   *
+   * Note that the type may not exist in the database.
+   *
+   * Use `getConstructedTypeName` to get the name of the type (which will
+   * always exist in the database).
+   */
+  Type getConstructedType() { result = typename.getType() }
+
+  /** Gets the name of the type being constructed by this constructor call. */
+  string getConstructedTypeName() { result = typename.getName() }
 }

powershell/ql/lib/semmle/code/powershell/ObjectCreation.qll

@@ -0,0 +1,55 @@
+import powershell
+
+abstract private class AbstractObjectCreation extends Call {
+  /**
+   * The type of the object being constructed.
+   * Note that the type may not exist in the database.
+   *
+   * Use `getConstructedTypeName` to get the name of the type (which will
+   * always exist in the database).
+   */
+  abstract Type getConstructedType();
+
+  /** The name of the type of the object being constructed. */
+  abstract string getConstructedTypeName();
+}
+
+/**
+ * An object creation from a call to a constructor. For example:
+ * ```powershell
+ * [System.IO.FileInfo]::new("C:\\file.txt")
+ * ```
+ */
+class NewObjectCreation extends AbstractObjectCreation instanceof ConstructorCall {
+  final override Type getConstructedType() { result = ConstructorCall.super.getConstructedType() }
+
+  final override string getConstructedTypeName() {
+    result = ConstructorCall.super.getConstructedTypeName()
+  }
+}
+
+/**
+ * An object creation from a call to `New-Object`. For example:
+ * ```powershell
+ * New-Object -TypeName System.IO.FileInfo -ArgumentList "C:\\file.txt"
+ * ```
+ */
+class DotNetObjectCreation extends AbstractObjectCreation instanceof Cmd {
+  DotNetObjectCreation() { this.getCommandName() = "New-Object" }
+
+  final override Type getConstructedType() { none() }
+
+  final override string getConstructedTypeName() {
+    // Either it's the named argument `TypeName`
+    result = Cmd.super.getNamedArgument("TypeName").(StringConstExpr).getValue().getValue()
+    or
+    // Or it's the first positional argument if that's the named argument
+    not Cmd.super.hasNamedArgument("TypeName") and
+    exists(StringConstExpr arg | arg = Cmd.super.getPositionalArgument(0) |
+      result = arg.getValue().getValue() and
+      not arg = Cmd.super.getNamedArgument(["ArgumentList", "Property"])
+    )
+  }
+}
+
+final class ObjectCreation = AbstractObjectCreation;

powershell/ql/lib/semmle/code/powershell/Type.qll

@@ -11,10 +11,15 @@ class Type extends @type_definition, Stmt {
 
   Member getAMember() { result = this.getMember(_) }
 
-  MemberFunction getMemberFunction(string name) {
-    result = this.getAMember() and
+  Method getMethod(string name) {
+    result.getMember() = this.getAMember() and
     result.hasName(name)
   }
 
-  MemberFunction getAMemberFunction() { result = this.getMemberFunction(_) }
+  Constructor getAConstructor() {
+    result = this.getAMethod() and
+    result.getName() = this.getName()
+  }
+
+  Method getAMethod() { result = this.getMethod(_) }
 }

powershell/ql/lib/semmle/code/powershell/Variable.qll

@@ -4,8 +4,6 @@ private import internal.Internal as Internal
 
 private predicate isFunctionParameterImpl(Internal::Parameter p, Function f, int i) {
   function_definition_parameter(f, i, p)
-  or
-  function_member_parameter(f, i, p)
 }
 
 private predicate hasParameterBlockImpl(Internal::Parameter p, ParamBlock block, int i) {

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -128,6 +128,8 @@ abstract private class NonExprChildMapping extends ChildMapping {
 abstract private class AbstractCallCfgNode extends AstCfgNode {
   override string getAPrimaryQlClass() { result = "CfgCall" }
 
+  final predicate hasName(string name) { this.getName() = name }
+
   abstract string getName();
 
   ExprCfgNode getQualifier() { none() }
@@ -145,6 +147,18 @@ abstract private class AbstractCallCfgNode extends AstCfgNode {
 
 final class CallCfgNode = AbstractCallCfgNode;
 
+class ObjectCreationCfgNode extends CallCfgNode {
+  ObjectCreation objectCreation;
+
+  ObjectCreationCfgNode() { this.getAstNode() = objectCreation }
+
+  ObjectCreation getObjectCreation() { result = objectCreation }
+
+  Type getConstructedType() { result = objectCreation.getConstructedType() }
+
+  string getConstructedTypeName() { result = objectCreation.getConstructedTypeName() }
+}
+
 /** Provides classes for control-flow nodes that wrap AST expressions. */
 module ExprNodes {
   private class VarAccessChildMapping extends ExprChildMapping, VarAccess {
@@ -226,12 +240,12 @@ module ExprNodes {
 
     final override ExprCfgNode getAnArgument() { e.hasCfgChild(e.getAnArgument(), this, result) }
 
-    final override string getName() { none() }
+    final override string getName() { result = e.getName() }
 
     final override ExprCfgNode getCommand() { none() }
   }
 
-    /** A control-flow node that wraps an `ConstructorCall` expression. */
+  /** A control-flow node that wraps an `ConstructorCall` expression. */
   class ConstructorCallCfgNode extends InvokeMemberCfgNode {
     ConstructorCallCfgNode() { super.getExpr() instanceof ConstructorCall }
 
@@ -247,6 +261,23 @@ module ExprNodes {
     InvokeMemberCfgNode getInvokeMember() { this = result.getQualifier() }
   }
 
+  class TypeNameChildMapping extends ExprChildMapping, TypeNameExpr {
+    override predicate relevantChild(Ast n) { none() }
+  }
+
+  /** A control-flow node that wraps a `TypeName` expression. */
+  class TypeNameCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "TypeNameCfgNode" }
+
+    override TypeNameChildMapping e;
+
+    override TypeNameExpr getExpr() { result = super.getExpr() }
+
+    Type getType() { result = this.getExpr().getType() }
+
+    string getTypeName() { result = this.getExpr().getName() }
+  }
+
   class ConditionalChildMapping extends ExprChildMapping, ConditionalExpr {
     override predicate relevantChild(Ast n) { n = this.getCondition() or n = this.getABranch() }
   }
@@ -350,4 +381,19 @@ module StmtNodes {
     /** Gets the RHS of this assignment. */
     final StmtCfgNode getRightHandSide() { s.hasCfgChild(s.getRightHandSide(), this, result) }
   }
+
+  class CmdExprChildMapping extends NonExprChildMapping, CmdExpr {
+    override predicate relevantChild(Ast n) { n = this.getExpr() }
+  }
+
+  /** A control-flow node that wraps a `CmdExpr` expression. */
+  class CmdExprCfgNode extends StmtCfgNode {
+    override string getAPrimaryQlClass() { result = "CmdExprCfgNode" }
+
+    override CmdExprChildMapping s;
+
+    override CmdExpr getStmt() { result = super.getStmt() }
+
+    final ExprCfgNode getExpr() { s.hasCfgChild(s.getExpr(), this, result) }
+  }
 }