PS: Support 'this' as a parameter in SSA and dataflow.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll

@@ -37,7 +37,7 @@ abstract class LibraryCallable extends string {
   LibraryCallable() { any() }
 
   /** Gets a call to this library callable. */
-  Cmd getACall() { none() }
+  Call getACall() { none() }
 }
 
 /**
@@ -222,7 +222,8 @@ private module Cached {
 
   cached
   newtype TArgumentPosition =
-    TKeywordArgumentPosition(string name) { name = any(CmdParameter p).getName() } or
+    TThisArgumentPosition() or
+    TKeywordArgumentPosition(string name) { name = any(Argument p).getName() } or
     TPositionalArgumentPosition(int pos, NamedSet ns) {
       exists(CfgNodes::CallCfgNode call |
         call = ns.getABindingCall() and
@@ -232,7 +233,8 @@ private module Cached {
 
   cached
   newtype TParameterPosition =
-    TKeywordParameter(string name) { name = any(CmdParameter p).getName() } or
+    TThisParameterPosition() or
+    TKeywordParameter(string name) { name = any(Argument p).getName() } or
     TPositionalParameter(int pos, NamedSet ns) {
       exists(CfgNodes::CallCfgNode call |
         call = ns.getABindingCall() and
@@ -245,6 +247,9 @@ import Cached
 
 /** A parameter position. */
 class ParameterPosition extends TParameterPosition {
+  /** Holds if this position represents a `this` parameter. */
+  predicate isThis() { this = TThisParameterPosition() }
+
   /**
    * Holds if this position represents a positional parameter at position `pos`
    * with function is called with exactly the named parameters from the set `ns`
@@ -256,6 +261,8 @@ class ParameterPosition extends TParameterPosition {
 
   /** Gets a textual representation of this position. */
   string toString() {
+    this.isThis() and result = "this"
+    or
     exists(int pos, NamedSet ns |
       this.isPositional(pos, ns) and result = "pos(" + pos + ", " + ns.toString() + ")"
     )
@@ -266,13 +273,18 @@ class ParameterPosition extends TParameterPosition {
 
 /** An argument position. */
 class ArgumentPosition extends TArgumentPosition {
+  /** Holds if this position represents a `this` argument. */
+  predicate isThis() { this = TThisArgumentPosition() }
+
   /** Holds if this position represents a positional argument at position `pos`. */
   predicate isPositional(int pos, NamedSet ns) { this = TPositionalArgumentPosition(pos, ns) }
 
   predicate isKeyword(string name) { this = TKeywordArgumentPosition(name) }
 
   /** Gets a textual representation of this position. */
   string toString() {
+    this.isThis() and result = "this"
+    or
     exists(int pos, NamedSet ns |
       this.isPositional(pos, ns) and result = "pos(" + pos + ", " + ns.toString() + ")"
     )
@@ -284,6 +296,8 @@ class ArgumentPosition extends TArgumentPosition {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[nomagic]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
+  ppos.isThis() and apos.isThis()
+  or
   exists(string name |
     ppos.isKeyword(name) and
     apos.isKeyword(name)

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -407,6 +407,9 @@ private module ParameterNodes {
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
       parameter.getDeclaringScope() = c.asCfgScope() and
       (
+        pos.isThis() and
+        parameter.isThis()
+        or
         pos.isKeyword(parameter.getName())
         or
         // Given a function f with parameters x, y we map
@@ -432,7 +435,9 @@ private module ParameterNodes {
       )
     }
 
-    override CfgScope getCfgScope() { result.getAParameter() = parameter }
+    override CfgScope getCfgScope() {
+      result.getAParameter() = parameter or result.getThisParameter() = parameter
+    }
 
     override Location getLocationImpl() { result = parameter.getLocation() }
 
@@ -458,7 +463,7 @@ module ArgumentNodes {
     ExplicitArgumentNode() { this.asExpr() = arg }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-      arg.getCmd() = call.asCall() and
+      arg.getCall() = call.asCall() and
       (
         pos.isKeyword(arg.getName())
         or
@@ -467,6 +472,9 @@ module ArgumentNodes {
           ns.getAnExactBindingCall() = call.asCall() and
           pos.isPositional(i, ns)
         )
+        or
+        arg.isQualifier() and
+        pos.isThis()
       )
     }
   }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/SsaImpl.qll

@@ -69,8 +69,14 @@ predicate uninitializedWrite(Cfg::EntryBasicBlock bb, int i, LocalVariable v) {
  * function f($a, $b) { ... }
  * ```
  * the inverted index of `$a` is 1, and the inverted index of `$b` is 0.
+ *
+ * The inverted index of `$this` is always always the number of
+ * parameters (excluding `this`).
  */
 private int getInvertedIndex(Parameter p) {
+  p.isThis() and
+  result = p.getFunction().getNumberOfParameters()
+  or
   exists(int i |
     p.getIndex() = i or
     p.hasParameterBlock(_, i)