PS: Also support method calls as calls.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/Call.qll

@@ -3,18 +3,27 @@ import powershell
 abstract private class AbstractCall extends Ast {
   abstract Expr getCommand();
 
+  /** Gets the i'th argument to this call. */
   abstract Expr getArgument(int i);
 
-  Expr getNamedArgument(string name) { none() }
+  /** Gets the i'th positional argument to this call. */
+  abstract Expr getPositionalArgument(int i);
 
-  Expr getAnArgument() { result = this.getArgument(_) or result = this.getNamedArgument(_) }
+  /** Gets the argument to this call with the name `name`. */
+  abstract Expr getNamedArgument(string name);
 
+  /** Gets any argument to this call. */
+  final Expr getAnArgument() { result = this.getArgument(_) }
+
+  /** Gets the qualifier of this call, if any. */
   Expr getQualifier() { none() }
 }
 
 private class CmdCall extends AbstractCall instanceof Cmd {
   final override Expr getCommand() { result = Cmd.super.getCommand() }
 
+  final override Expr getPositionalArgument(int i) { result = Cmd.super.getPositionalArgument(i) }
+
   final override Expr getArgument(int i) { result = Cmd.super.getArgument(i) }
 
   final override Expr getNamedArgument(string name) { result = Cmd.super.getNamedArgument(name) }
@@ -23,9 +32,15 @@ private class CmdCall extends AbstractCall instanceof Cmd {
 private class InvokeMemberCall extends AbstractCall instanceof InvokeMemberExpr {
   final override Expr getCommand() { result = super.getMember() }
 
-  final override Expr getArgument(int i) { result = InvokeMemberExpr.super.getArgument(i) }
+  final override Expr getPositionalArgument(int i) {
+    result = InvokeMemberExpr.super.getArgument(i)
+  }
+
+  final override Expr getArgument(int i) { result = this.getPositionalArgument(i) }
 
   final override Expr getQualifier() { result = InvokeMemberExpr.super.getQualifier() }
+
+  final override Expr getNamedArgument(string name) { none() }
 }
 
 final class Call = AbstractCall;

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -125,6 +125,22 @@ abstract private class NonExprChildMapping extends ChildMapping {
   }
 }
 
+abstract private class AbstractCallCfgNode extends AstCfgNode {
+  override string getAPrimaryQlClass() { result = "CfgCall" }
+
+  ExprCfgNode getQualifier() { none() }
+
+  abstract ExprCfgNode getArgument(int i);
+
+  abstract ExprCfgNode getPositionalArgument(int i);
+
+  abstract ExprCfgNode getNamedArgument(string name);
+
+  abstract ExprCfgNode getAnArgument();
+}
+
+final class CallCfgNode = AbstractCallCfgNode;
+
 /** Provides classes for control-flow nodes that wrap AST expressions. */
 module ExprNodes {
   private class VarAccessChildMapping extends ExprChildMapping, VarAccess {
@@ -189,14 +205,22 @@ module ExprNodes {
   }
 
   /** A control-flow node that wraps an `InvokeMemberExpr` expression. */
-  class InvokeMemberCfgNode extends ExprCfgNode {
+  class InvokeMemberCfgNode extends ExprCfgNode, AbstractCallCfgNode {
     override string getAPrimaryQlClass() { result = "InvokeMemberCfgNode" }
 
     override InvokeMemberChildMapping e;
 
     final override InvokeMemberExpr getExpr() { result = super.getExpr() }
 
-    final ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
+    final override ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
+
+    final override ExprCfgNode getArgument(int i) { e.hasCfgChild(e.getArgument(i), this, result) }
+
+    final override ExprCfgNode getPositionalArgument(int i) { result = this.getArgument(i) }
+
+    final override ExprCfgNode getNamedArgument(string name) { none() }
+
+    final override ExprCfgNode getAnArgument() { e.hasCfgChild(e.getAnArgument(), this, result) }
   }
 
   /** A control-flow node that wraps a qualifier expression. */
@@ -265,24 +289,24 @@ module StmtNodes {
   }
 
   /** A control-flow node that wraps a `Cmd` AST expression. */
-  class CmdCfgNode extends StmtCfgNode {
+  class CmdCfgNode extends StmtCfgNode, AbstractCallCfgNode {
     override string getAPrimaryQlClass() { result = "CmdCfgNode" }
 
     override CmdChildMapping s;
 
     override Cmd getStmt() { result = super.getStmt() }
 
-    ExprCfgNode getArgument(int i) { s.hasCfgChild(s.getArgument(i), this, result) }
+    override ExprCfgNode getArgument(int i) { s.hasCfgChild(s.getArgument(i), this, result) }
 
-    ExprCfgNode getPositionalArgument(int i) {
+    override ExprCfgNode getPositionalArgument(int i) {
       s.hasCfgChild(s.getPositionalArgument(i), this, result)
     }
 
-    ExprCfgNode getNamedArgument(string name) {
+    override ExprCfgNode getNamedArgument(string name) {
       s.hasCfgChild(s.getNamedArgument(name), this, result)
     }
 
-    ExprCfgNode getAnArgument() { s.hasCfgChild(s.getAnArgument(), this, result) }
+    override ExprCfgNode getAnArgument() { s.hasCfgChild(s.getAnArgument(), this, result) }
 
     ExprCfgNode getCommand() { s.hasCfgChild(s.getCommand(), this, result) }
   }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll

@@ -77,7 +77,7 @@ abstract class DataFlowCall extends TDataFlowCall {
   abstract DataFlowCallable getEnclosingCallable();
 
   /** Gets the underlying source code call, if any. */
-  abstract CfgNodes::StmtNodes::CmdCfgNode asCall();
+  abstract CfgNodes::CallCfgNode asCall();
 
   /** Gets a textual representation of this call. */
   abstract string toString();
@@ -107,11 +107,11 @@ abstract class DataFlowCall extends TDataFlowCall {
 }
 
 class NormalCall extends DataFlowCall, TNormalCall {
-  private CfgNodes::StmtNodes::CmdCfgNode c;
+  private CfgNodes::CallCfgNode c;
 
   NormalCall() { this = TNormalCall(c) }
 
-  override CfgNodes::StmtNodes::CmdCfgNode asCall() { result = c }
+  override CfgNodes::CallCfgNode asCall() { result = c }
 
   override DataFlowCallable getEnclosingCallable() { result = TCfgScope(c.getScope()) }
 
@@ -121,7 +121,7 @@ class NormalCall extends DataFlowCall, TNormalCall {
 }
 
 /** A call for which we want to compute call targets. */
-private class RelevantCall extends CfgNodes::StmtNodes::CmdCfgNode { }
+private class RelevantCall extends CfgNodes::CallCfgNode { }
 
 /** Holds if `call` may resolve to the returned source-code method. */
 private DataFlowCallable viableSourceCallable(DataFlowCall call) {
@@ -139,15 +139,7 @@ class AdditionalCallTarget extends Unit {
   /**
    * Gets a viable target for `call`.
    */
-  abstract DataFlowCallable viableTarget(CfgNodes::StmtNodes::CmdCfgNode call);
-}
-
-/** Holds if `call` may resolve to the returned summarized library method. */
-DataFlowCallable viableLibraryCallable(DataFlowCall call) {
-  exists(LibraryCallable callable |
-    result = TLibraryCallable(callable) and
-    call.asCall().getStmt() = callable.getACall()
-  )
+  abstract DataFlowCallable viableTarget(CfgNodes::CallCfgNode call);
 }
 
 cached
@@ -158,33 +150,29 @@ private module Cached {
     TLibraryCallable(LibraryCallable callable)
 
   cached
-  newtype TDataFlowCall = TNormalCall(CfgNodes::StmtNodes::CmdCfgNode c)
+  newtype TDataFlowCall = TNormalCall(CfgNodes::CallCfgNode c)
 
   /** Gets a viable run-time target for the call `call`. */
   cached
-  DataFlowCallable viableCallable(DataFlowCall call) {
-    result = viableSourceCallable(call)
-    or
-    result = viableLibraryCallable(call)
-  }
+  DataFlowCallable viableCallable(DataFlowCall call) { result = viableSourceCallable(call) }
 
   cached
   newtype TArgumentPosition =
     TKeywordArgumentPosition(string name) { name = any(CmdParameter p).getName() } or
     TPositionalArgumentPosition(int pos, NamedSet ns) {
-      exists(Cmd cmd |
-        cmd = ns.getABindingCall() and
-        exists(cmd.getArgument(pos))
+      exists(CfgNodes::CallCfgNode call |
+        call = ns.getABindingCall() and
+        exists(call.getArgument(pos))
       )
     }
 
   cached
   newtype TParameterPosition =
     TKeywordParameter(string name) { name = any(CmdParameter p).getName() } or
     TPositionalParameter(int pos, NamedSet ns) {
-      exists(Cmd cmd |
-        cmd = ns.getABindingCall() and
-        exists(cmd.getArgument(pos))
+      exists(CfgNodes::CallCfgNode call |
+        call = ns.getABindingCall() and
+        exists(call.getArgument(pos))
       )
     }
 }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -229,9 +229,10 @@ class SsaInputNode extends SsaNode {
   override CfgScope getCfgScope() { result = node.getDefinitionExt().getBasicBlock().getScope() }
 }
 
-private string getANamedArgument(Cmd c) { exists(c.getNamedArgument(result)) }
+private string getANamedArgument(CfgNodes::CallCfgNode c) { exists(c.getNamedArgument(result)) }
 
-private module NamedSetModule = QlBuiltins::InternSets<Cmd, string, getANamedArgument/1>;
+private module NamedSetModule =
+  QlBuiltins::InternSets<CfgNodes::CallCfgNode, string, getANamedArgument/1>;
 
 private newtype NamedSet0 =
   TEmptyNamedSet() or
@@ -257,11 +258,11 @@ class NamedSet extends NamedSet0 {
   }
 
   /**
-   * Gets a `Cmd` that provides a named parameter for every name in `this`.
+   * Gets a `CfgNodes::CallCfgNode` that provides a named parameter for every name in `this`.
    *
-   * NOTE: The `Cmd` may also provide more names.
+   * NOTE: The `CfgNodes::CallCfgNode` may also provide more names.
    */
-  Cmd getABindingCall() {
+  CfgNodes::CallCfgNode getABindingCall() {
     forex(string name | name = this.getAName() | exists(result.getNamedArgument(name)))
     or
     this.isEmpty() and
@@ -272,7 +273,7 @@ class NamedSet extends NamedSet0 {
    * Gets a `Cmd` that provides exactly the named parameters represented by
    * this set.
    */
-  Cmd getAnExactBindingCall() {
+  CfgNodes::CallCfgNode getAnExactBindingCall() {
     forex(string name | name = this.getAName() | exists(result.getNamedArgument(name))) and
     forex(string name | exists(result.getNamedArgument(name)) | name = this.getAName())
     or
@@ -366,7 +367,7 @@ module ArgumentNodes {
         or
         exists(NamedSet ns, int i |
           i = arg.getPosition() and
-          ns.getAnExactBindingCall() = call.asCall().getStmt() and
+          ns.getAnExactBindingCall() = call.asCall() and
           pos.isPositional(i, ns)
         )
       )