PS: Pipeline flow.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/Variable.qll

@@ -160,7 +160,8 @@ private newtype TVariable =
     not name = "this" and // This is modeled as a parameter
     exists(VarAccess va | va.getUserPath() = name and scope = va.getEnclosingScope())
   } or
-  TParameter(ParameterImpl p)
+  TParameter(ParameterImpl p) or
+  TPipelineIteratorVariable(ProcessBlock pb)
 
 private class AbstractVariable extends TVariable {
   abstract Location getLocation();
@@ -272,3 +273,23 @@ class Parameter extends AbstractLocalScopeVariable, TParameter {
 class PipelineParameter extends Parameter {
   PipelineParameter() { this.isPipeline() }
 }
+
+/**
+ * The variable that represents the value of a pipeline during a process block.
+ * 
+ * That is, it is _not_ the pipeline variable, but the value that is obtained by reading
+ * from the pipeline.
+ */
+class PipelineIteratorVariable extends AbstractLocalScopeVariable, TPipelineIteratorVariable {
+  private ProcessBlock pb;
+
+  PipelineIteratorVariable() { this = TPipelineIteratorVariable(pb) }
+
+  override Location getLocation() { result = pb.getLocation() }
+
+  override string getName() { result = "pipeline iterator for " + pb.toString() }
+
+  final override Scope getDeclaringScope() { result = pb.getEnclosingScope() }
+
+  ProcessBlock getProcessBlock() { result = pb }
+}

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -76,6 +76,8 @@ module SsaFlow {
     or
     result.(Impl::ExprNode).getExpr() = n.asStmt()
     or
+    result.(Impl::ExprNode).getExpr() = n.(ProcessNode).getProcessBlock()
+    or
     result.(Impl::ExprPostUpdateNode).getExpr() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
     or
     n = toParameterNode(result.(Impl::ParameterNode).getParameter())
@@ -148,7 +150,8 @@ private module Cached {
     } or
     TPreReturnNodeImpl(CfgNodes::AstCfgNode n, Boolean isArray) { isReturned(n) } or
     TImplicitWrapNode(CfgNodes::AstCfgNode n, Boolean shouldWrap) { isReturned(n) } or
-    TReturnNodeImpl(CfgScope scope)
+    TReturnNodeImpl(CfgScope scope) or
+    TProcessNode(ProcessBlock process)
 
   cached
   Location getLocation(NodeImpl n) { result = n.getLocationImpl() }
@@ -462,6 +465,9 @@ private module ParameterNodes {
                 p.getName() = ns.getAName()
               )
         )
+        or
+        parameter.isPipeline() and
+        pos.isPipeline()
       )
     }
 
@@ -508,6 +514,26 @@ module ArgumentNodes {
       )
     }
   }
+
+  private predicate isPipelineInput(
+    CfgNodes::StmtNodes::CmdBaseCfgNode input, CfgNodes::StmtNodes::CmdBaseCfgNode consumer
+  ) {
+    exists(CfgNodes::StmtNodes::PipelineCfgNode pipeline, int i |
+      input = pipeline.getComponent(i) and
+      consumer = pipeline.getComponent(i + 1)
+    )
+  }
+
+  class PipelineArgumentNode extends ArgumentNode, StmtNode {
+    CfgNodes::StmtNodes::CmdBaseCfgNode consumer;
+
+    PipelineArgumentNode() { isPipelineInput(this.getStmtNode(), consumer) }
+
+    override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
+      call.asCall() = consumer and
+      pos.isPipeline()
+    }
+  }
 }
 
 import ArgumentNodes
@@ -706,6 +732,12 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
     node2 = TImplicitWrapNode(cfgNode, true) and
     c.isSingleton(any(Content::KnownElementContent ec))
   )
+  or
+  c.isAnyElement() and
+  exists(SsaImpl::DefinitionExt def |
+    node1.(ProcessNode).getIteratorVariable() = def.getSourceVariable() and
+    SsaImpl::firstRead(def, node2.asExpr())
+  )
 }
 
 /**
@@ -731,6 +763,9 @@ predicate expectsContent(Node n, ContentSet c) {
   or
   n = TImplicitWrapNode(_, false) and
   c.isSingleton(any(Content::UnknownElementContent ec))
+  or
+  n instanceof ProcessNode and
+  c.isAnyElement()
 }
 
 class DataFlowType extends TDataFlowType {
@@ -850,6 +885,24 @@ private class ReturnNodeImpl extends TReturnNodeImpl, NodeImpl {
   override predicate nodeIsHidden() { any() }
 }
 
+private class ProcessNode extends TProcessNode, NodeImpl {
+  ProcessBlock process;
+
+  ProcessNode() { this = TProcessNode(process) }
+
+  override CfgScope getCfgScope() { result = process.getEnclosingScope() }
+
+  override Location getLocationImpl() { result = process.getLocation() }
+
+  override string toStringImpl() { result = process.toString() }
+
+  override predicate nodeIsHidden() { any() }
+
+  PipelineIteratorVariable getIteratorVariable() { result.getProcessBlock() = process }
+
+  CfgNodes::ProcessBlockCfgNode getProcessBlock() { result.getAstNode() = process }
+}
+
 /** A node that performs a type cast. */
 class CastNode extends Node {
   CastNode() { none() }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/SsaImpl.qll

@@ -34,12 +34,18 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
       parameterWrite(bb, i, v)
       or
       variableWriteActual(bb, i, v, _)
+      or
+      pipelineIteratorWrite(bb, i, v)
     ) and
     certain = true
   }
 
   predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {
-    variableReadActual(bb, i, v) and
+    (
+      variableReadActual(bb, i, v)
+      or
+      pipelineRead(bb, i, v)
+    ) and
     certain = true
   }
 }
@@ -62,6 +68,13 @@ predicate uninitializedWrite(Cfg::EntryBasicBlock bb, int i, LocalVariable v) {
   i = -1
 }
 
+predicate pipelineIteratorWrite(Cfg::BasicBlock bb, int i, PipelineIteratorVariable v) {
+  exists(ProcessBlockCfgNode process |
+    process = bb.getNode(i) and
+    v.getProcessBlock() = process.getAstNode()
+  )
+}
+
 /**
  * Gets index of `p` in a version of the enclosing function where the parameter
  * list is reversed.
@@ -101,11 +114,28 @@ predicate parameterWrite(Cfg::EntryBasicBlock bb, int i, Parameter p) {
   )
 }
 
+private PipelineIteratorVariable getPipelineIterator(PipelineParameter pipelineParam) {
+  result.getProcessBlock().getScriptBlock() = pipelineParam.getDeclaringScope()
+}
+
+private predicate isPipelineIteratorVarAccess(VarAccessCfgNode va) {
+  va.getVariable() instanceof PipelineParameter and
+  va.getAstNode().getParent*() instanceof ProcessBlock
+}
+
 /** Holds if `v` is read at index `i` in basic block `bb`. */
-private predicate variableReadActual(Cfg::BasicBlock bb, int i, LocalScopeVariable v) {
-  exists(VarReadAccess read |
-    read.getVariable() = v and
-    read = bb.getNode(i).getAstNode()
+private predicate variableReadActual(Cfg::BasicBlock bb, int i, SsaInput::SourceVariable v) {
+  exists(VarReadAccessCfgNode read, SsaInput::SourceVariable w |
+    read.getVariable() = w and read = bb.getNode(i)
+  |
+    if isPipelineIteratorVarAccess(read) then v = getPipelineIterator(w) else v = w
+  )
+}
+
+private predicate pipelineRead(Cfg::BasicBlock bb, int i, SsaInput::SourceVariable v) {
+  exists(ProcessBlockCfgNode process |
+    process = bb.getNode(i) and
+    v = process.getPipelineParameter()
   )
 }
 
@@ -195,11 +225,12 @@ private module Cached {
    */
   cached
   predicate variableWriteActual(
-    Cfg::BasicBlock bb, int i, LocalScopeVariable v, VarWriteAccessCfgNode write
+    Cfg::BasicBlock bb, int i, SsaInput::SourceVariable v, VarWriteAccessCfgNode write
   ) {
-    exists(Cfg::CfgNode n |
-      write.getVariable() = v and
-      n = bb.getNode(i)
+    exists(Cfg::CfgNode n, SsaInput::SourceVariable w |
+      write.getVariable() = w and
+      n = bb.getNode(i) and
+      if isPipelineIteratorVarAccess(write) then v = getPipelineIterator(w) else v = w
     |
       write.isExplicitWrite(n)
       or