Merge pull request #104 from microsoft/powershell-field-flow

MathiasVP · web-flow · commit 5803e0611e1d · 2024-09-26T11:31:12.000+01:00
PS: Add field flow
diff --git a/powershell/ql/lib/semmle/code/powershell/MemberExpr.qll b/powershell/ql/lib/semmle/code/powershell/MemberExpr.qll
@@ -3,13 +3,26 @@ import powershell
 class MemberExpr extends @member_expression, MemberExprBase {
   final override Location getLocation() { member_expression_location(this, result) }
 
-  Expr getExpr() { member_expression(this, result, _, _, _) }
+  Expr getBase() { member_expression(this, result, _, _, _) }
 
   CmdElement getMember() { member_expression(this, _, result, _, _) }
 
+  /** Gets the name of the member being looked up, if any. */
+  string getMemberName() { result = this.getMember().(StringConstExpr).getValue().getValue() }
+
   predicate isNullConditional() { member_expression(this, _, _, true, _) }
 
   predicate isStatic() { member_expression(this, _, _, _, true) }
 
   final override string toString() { result = this.getMember().toString() }
 }
+
+/** A `MemberExpr` that is being written to. */
+class MemberExprWriteAccess extends MemberExpr {
+  MemberExprWriteAccess() { this = any(AssignStmt assign).getLeftHandSide() }
+}
+
+/** A `MemberExpr` that is being read from. */
+class MemberExprReadAccess extends MemberExpr {
+  MemberExprReadAccess() { not this instanceof MemberExprWriteAccess }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -191,7 +191,7 @@ module ExprNodes {
     final ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
   }
 
-    /** A control-flow node that wraps a qualifier expression. */
+  /** A control-flow node that wraps a qualifier expression. */
   class QualifierCfgNode extends ExprCfgNode {
     QualifierCfgNode() { this = any(InvokeMemberCfgNode invoke).getQualifier() }
 
@@ -220,6 +220,35 @@ module ExprNodes {
 
     final ExprCfgNode getIfFalse() { e.hasCfgChild(e.getIfFalse(), this, result) }
   }
+
+  class MemberChildMapping extends ExprChildMapping, MemberExpr {
+    override predicate relevantChild(Ast n) { n = this.getBase() or n = this.getMember() }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression. */
+  class MemberCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "MemberCfgNode" }
+
+    override MemberChildMapping e;
+
+    final override MemberExpr getExpr() { result = super.getExpr() }
+
+    final ExprCfgNode getBase() { e.hasCfgChild(e.getBase(), this, result) }
+
+    final string getMemberName() { result = e.getMemberName() }
+
+    predicate isStatic() { e.isStatic() }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression that is being written to. */
+  class MemberCfgWriteAccessNode extends MemberCfgNode {
+    MemberCfgWriteAccessNode() { this.getExpr() instanceof MemberExprWriteAccess }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression that is being read from. */
+  class MemberCfgReadAccessNode extends MemberCfgNode {
+    MemberCfgReadAccessNode() { this.getExpr() instanceof MemberExprReadAccess }
+  }
 }
 
 module StmtNodes {
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -114,8 +114,14 @@ private module Cached {
     TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
     TNormalParameterNode(Parameter p) or
     TExprPostUpdateNode(CfgNodes::ExprCfgNode n) {
-      n instanceof CfgNodes::ExprNodes::ArgumentCfgNode or
+      n instanceof CfgNodes::ExprNodes::ArgumentCfgNode
+      or
       n instanceof CfgNodes::ExprNodes::QualifierCfgNode
+      or
+      exists(CfgNodes::ExprNodes::MemberCfgNode member |
+        n = member.getBase() and
+        not member.isStatic()
+      )
     }
 
   cached
@@ -150,10 +156,15 @@ private module Cached {
   newtype TContentSet = TSingletonContent(Content c)
 
   cached
-  newtype TContent = TFieldContent(string name) { none() }
+  newtype TContent =
+    TFieldContent(string name) {
+      name = any(PropertyMember member).getName()
+      or
+      name = any(MemberExpr me).getMemberName()
+    }
 
   cached
-  newtype TContentApprox = TNonElementContentApprox(Content c) // TODO
+  newtype TContentApprox = TNonElementContentApprox(Content c)
 
   cached
   newtype TDataFlowType = TUnknownDataFlowType()
@@ -309,14 +320,26 @@ predicate jumpStep(Node pred, Node succ) {
  * content `c`.
  */
 predicate storeStep(Node node1, ContentSet c, Node node2) {
-  none() // TODO
+  node2.(PostUpdateNode).getPreUpdateNode().asExpr() =
+    any(CfgNodes::ExprNodes::MemberCfgNode var |
+      exists(CfgNodes::StmtNodes::AssignStmtCfgNode assign |
+        var = assign.getLeftHandSide() and
+        node1.asStmt() = assign.getRightHandSide()
+      |
+        c.isSingleton(any(Content::FieldContent ct | ct.getName() = var.getMemberName()))
+      )
+    ).getBase()
 }
 
 /**
  * Holds if there is a read step of content `c` from `node1` to `node2`.
  */
 predicate readStep(Node node1, ContentSet c, Node node2) {
-  none() // TODO
+  node2.asExpr() =
+    any(CfgNodes::ExprNodes::MemberCfgReadAccessNode var |
+      node1.asExpr() = var.getBase() and
+      c.isSingleton(any(Content::FieldContent ct | ct.getName() = var.getMemberName()))
+    )
 }
 
 /**
@@ -325,7 +348,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
  * in `x.f = newValue`.
  */
 predicate clearsContent(Node n, ContentSet c) {
-  none() // TODO
+  n = any(PostUpdateNode pun | storeStep(_, c, pun)).getPreUpdateNode()
 }
 
 /**
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -161,7 +161,19 @@ class Content extends TContent {
 }
 
 /** Provides different sub classes of `Content`. */
-module Content { }
+module Content {
+  /** A field of an object. */
+  class FieldContent extends Content, TFieldContent {
+    private string name;
+
+    FieldContent() { this = TFieldContent(name) }
+
+    /** Gets the name of the field. */
+    string getName() { result = name }
+
+    override string toString() { result = name }
+  }
+}
 
 /**
  * An entity that represents a set of `Content`s.
diff --git a/powershell/ql/test/library-tests/dataflow/fields/test.expected b/powershell/ql/test/library-tests/dataflow/fields/test.expected
@@ -0,0 +1,6 @@
+models
+edges
+nodes
+subpaths
+testFailures
+#select
diff --git a/powershell/ql/test/library-tests/dataflow/fields/test.ps1 b/powershell/ql/test/library-tests/dataflow/fields/test.ps1
@@ -0,0 +1,6 @@
+$a.f = Source "1"
+Sink $a.f # $ MISSING: hasValueFlow=1
+
+$a.f = Source "2"
+$a.f = 0
+Sink $a.f # clean
diff --git a/powershell/ql/test/library-tests/dataflow/fields/test.ql b/powershell/ql/test/library-tests/dataflow/fields/test.ql
@@ -0,0 +1,13 @@
+/**
+ * @kind path-problem
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+private import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import ValueFlow::PathGraph
+
+from ValueFlow::PathNode source, ValueFlow::PathNode sink
+where ValueFlow::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()

-Original file line number
+Diff line change
@@ @@ -0,0 +1,6 @@ @@
 +models
 +edges
 +nodes
 +subpaths
 +testFailures
 +#select