PS: Add wrapper classes for local and remote flow sources.

MathiasVP · MathiasVP · commit 4f58b1921776 · 2024-11-06T13:43:13.000Z
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/FlowSources.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/FlowSources.qll
@@ -0,0 +1,18 @@
+/** Provides classes representing various flow sources for taint tracking. */
+import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
+import semmle.code.powershell.dataflow.flowsources.Remote
+import semmle.code.powershell.dataflow.flowsources.Local
+import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
+
+/**
+ * A data flow source.
+ */
+abstract class SourceNode extends DataFlow::Node {
+  /**
+   * Gets a string that represents the source kind with respect to threat modeling.
+   */
+  abstract string getThreatModel();
+
+  /** Gets a string that describes the type of this flow source. */
+  abstract string getSourceType();
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Local.qll
@@ -0,0 +1,87 @@
+/**
+ * Provides classes representing sources of local input.
+ */
+
+import powershell
+private import FlowSources
+
+/** A data flow source of local data. */
+abstract class LocalFlowSource extends SourceNode {
+  override string getSourceType() { result = "local flow source" }
+
+  override string getThreatModel() { result = "local" }
+}
+
+private class ExternalLocalFlowSource extends LocalFlowSource {
+  ExternalLocalFlowSource() { this = ModelOutput::getASourceNode("local", _).asSource() }
+
+  override string getSourceType() { result = "external" }
+}
+
+/** A data flow source of local user input. */
+abstract class LocalUserInputSource extends LocalFlowSource { }
+
+/**
+ * A dataflow source that represents the access of an environment variable.
+ */
+abstract class EnvironmentVariableSource extends LocalFlowSource {
+  override string getThreatModel() { result = "environment" }
+
+  override string getSourceType() { result = "environment variable" }
+}
+
+private class ExternalEnvironmentVariableSource extends EnvironmentVariableSource {
+  ExternalEnvironmentVariableSource() {
+    this = ModelOutput::getASourceNode("environment", _).asSource()
+  }
+}
+
+/**
+ * A dataflow source that represents the access of a command line argument.
+ */
+abstract class CommandLineArgumentSource extends LocalFlowSource {
+  override string getThreatModel() { result = "commandargs" }
+
+  override string getSourceType() { result = "command line argument" }
+}
+
+private class ExternalCommandLineArgumentSource extends CommandLineArgumentSource {
+  ExternalCommandLineArgumentSource() {
+    this = ModelOutput::getASourceNode("command-line", _).asSource()
+  }
+}
+
+/**
+ * A data flow source that represents the parameters of the `Main` method of a program.
+ */
+private class MainMethodArgumentSource extends CommandLineArgumentSource {
+  MainMethodArgumentSource() { this.asParameter().getFunction() instanceof TopLevel }
+}
+
+/**
+ * A data flow source that represents the access of a value from the Windows registry.
+ */
+abstract class WindowsRegistrySource extends LocalFlowSource {
+  override string getThreatModel() { result = "windows-registry" }
+
+  override string getSourceType() { result = "a value from the Windows registry" }
+}
+
+private class ExternalWindowsRegistrySource extends WindowsRegistrySource {
+  ExternalWindowsRegistrySource() {
+    this = ModelOutput::getASourceNode("windows-registry", _).asSource()
+  }
+}
+
+/**
+ * A dataflow source that represents the reading from stdin.
+ */
+abstract class StdinSource extends LocalFlowSource {
+  override string getThreatModel() { result = "stdin" }
+
+  override string getSourceType() { result = "read from stdin" }
+}
+
+private class ExternalStdinSource extends StdinSource {
+  ExternalStdinSource() { this = ModelOutput::getASourceNode("stdin", _).asSource() }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/flowsources/Remote.qll
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/data/ModelsAsData.qll b/powershell/ql/lib/semmle/code/powershell/frameworks/data/ModelsAsData.qll
@@ -4,5 +4,48 @@
  */
 
 private import powershell
-private import semmle.code.powershell.dataflow.RemoteFlowSources
+private import semmle.code.powershell.ApiGraphs
+private import internal.ApiGraphModels as Shared
+private import internal.ApiGraphModelsSpecific as Specific
+import Shared::ModelInput as ModelInput
+import Shared::ModelOutput as ModelOutput
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
 private import semmle.code.powershell.dataflow.FlowSummary
+
+/**
+ * A remote flow source originating from a CSV source row.
+ */
+private class RemoteFlowSourceFromCsv extends RemoteFlowSource::Range {
+  RemoteFlowSourceFromCsv() { this = ModelOutput::getASourceNode("remote").asSource() }
+
+  override string getSourceType() { result = "Remote flow (from model)" }
+}
+
+private class SummarizedCallableFromModel extends SummarizedCallable {
+  string type;
+  string path;
+
+  SummarizedCallableFromModel() {
+    ModelOutput::relevantSummaryModel(type, path, _, _, _, _) and
+    this = type + ";" + path
+  }
+
+  override Call getACall() {
+    exists(API::MethodAccessNode base |
+      ModelOutput::resolvedSummaryBase(type, path, base) and
+      result = base.asCall().asExpr().getExpr()
+    )
+  }
+
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    exists(string kind | ModelOutput::relevantSummaryModel(type, path, input, output, kind, model) |
+      kind = "value" and
+      preservesValue = true
+      or
+      kind = "taint" and
+      preservesValue = false
+    )
+  }
+}
