PS: Add a concept of 'source call' vs. 'library call' to avoid non-monotonic recursion in the next commits.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/dataflow/FlowSummary.qll

@@ -3,7 +3,7 @@
 import powershell
 private import semmle.code.powershell.controlflow.Cfg
 private import semmle.code.powershell.typetracking.TypeTracking
-import semmle.code.powershell.dataflow.DataFlow
+private import semmle.code.powershell.dataflow.DataFlow
 private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch
 private import internal.DataFlowImplCommon as DataFlowImplCommon
@@ -55,5 +55,7 @@ abstract class SimpleSummarizedCallable extends SummarizedCallable {
   bindingset[this]
   SimpleSummarizedCallable() { c.getName() = this }
 
-  final override MethodCall getACall() { result = c }
+  final override Call getACall() { result = c }
+
+  final override Call getACallSimple() { result = c }
 }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll

@@ -40,6 +40,15 @@ abstract class LibraryCallable extends string {
 
   /** Gets a call to this library callable. */
   Call getACall() { none() }
+
+  /** Same as `getACall()` except this does not depend on the call graph or API graph. */
+  Call getACallSimple() { none() }
+}
+
+/** A callable defined in library code, which should be taken into account in type tracking. */
+abstract class LibraryCallableToIncludeInTypeTracking extends LibraryCallable {
+  bindingset[this]
+  LibraryCallableToIncludeInTypeTracking() { exists(this) }
 }
 
 /**
@@ -230,6 +239,14 @@ class AdditionalCallTarget extends Unit {
   abstract DataFlowCallable viableTarget(CfgNodes::CallCfgNode call);
 }
 
+/** Holds if `call` may resolve to the returned summarized library method. */
+DataFlowCallable viableLibraryCallable(DataFlowCall call) {
+  exists(LibraryCallable callable |
+    result = TLibraryCallable(callable) and
+    call.asCall().getAstNode() = [callable.getACall(), callable.getACallSimple()]
+  )
+}
+
 cached
 private module Cached {
   cached

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -479,6 +479,13 @@ private module ParameterNodes {
     abstract Parameter getParameter();
 
     abstract predicate isParameterOf(DataFlowCallable c, ParameterPosition pos);
+
+    final predicate isSourceParameterOf(CfgScope c, ParameterPosition pos) {
+      exists(DataFlowCallable callable |
+        this.isParameterOf(callable, pos) and
+        c = callable.asCfgScope()
+      )
+    }
   }
 
   /**
@@ -590,6 +597,8 @@ abstract class ArgumentNode extends Node {
   /** Holds if this argument occurs at the given position in the given call. */
   abstract predicate argumentOf(DataFlowCall call, ArgumentPosition pos);
 
+  abstract predicate sourceArgumentOf(CfgNodes::CallCfgNode call, ArgumentPosition pos);
+
   /** Gets the call in which this node is an argument. */
   final DataFlowCall getCall() { this.argumentOf(result, _) }
 }
@@ -601,13 +610,17 @@ module ArgumentNodes {
     ExplicitArgumentNode() { this.asExpr() = arg }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-      arg.getCall() = call.asCall() and
+      this.sourceArgumentOf(call.asCall(), pos)
+    }
+
+    override predicate sourceArgumentOf(CfgNodes::CallCfgNode call, ArgumentPosition pos) {
+      arg.getCall() = call and
       (
         pos.isKeyword(arg.getName())
         or
         exists(NamedSet ns, int i |
           i = arg.getPosition() and
-          ns.getAnExactBindingCall() = call.asCall() and
+          ns.getAnExactBindingCall() = call and
           pos.isPositional(i, ns)
         )
         or
@@ -632,7 +645,11 @@ module ArgumentNodes {
     PipelineArgumentNode() { isPipelineInput(this.getStmtNode(), consumer) }
 
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-      call.asCall() = consumer and
+      this.sourceArgumentOf(call.asCall(), pos)
+    }
+
+    override predicate sourceArgumentOf(CfgNodes::CallCfgNode call, ArgumentPosition pos) {
+      call = consumer and
       pos.isPipeline()
     }
   }
@@ -648,6 +665,8 @@ module ArgumentNodes {
     override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
       call.(SummaryCall).getReceiver() = receiver and pos = pos_
     }
+
+    override predicate sourceArgumentOf(CfgNodes::CallCfgNode call, ArgumentPosition pos) { none() }
   }
 }
 

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll

@@ -1,6 +1,7 @@
 private import powershell
 private import DataFlowDispatch
 private import DataFlowPrivate
+private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
 private import semmle.code.powershell.Cfg
 
 /**
@@ -13,6 +14,8 @@ class Node extends TNode {
 
   CfgNodes::StmtCfgNode asStmt() { result = this.(StmtNode).getStmtNode() }
 
+  ScriptBlock asCallable() { result = this.(CallableNode).asCallableAstNode() }
+
   /** Gets the parameter corresponding to this node, if any. */
   Parameter asParameter() { result = this.(ParameterNode).getParameter() }
 
@@ -27,6 +30,12 @@ class Node extends TNode {
    */
   Node getAPredecessor() { localFlowStep(result, this) }
 
+  /**
+   * Gets a local source node from which data may flow to this node in zero or
+   * more local data-flow steps.
+   */
+  LocalSourceNode getALocalSource() { result.flowsTo(this) }
+
   /**
    * Gets a data flow node to which data may flow from this node in one local step.
    */
@@ -115,9 +124,18 @@ class PostUpdateNode extends Node {
 
 cached
 private module Cached {
+  cached
+  predicate hasMethodCall(LocalSourceNode source, CallNode call, string name) {
+    source.flowsTo(call.getQualifier()) and
+    call.getName() = name
+  }
+
   cached
   CfgScope getCfgScope(NodeImpl node) { result = node.getCfgScope() }
 
+  cached
+  ReturnNode getAReturnNode(ScriptBlock scriptBlock) { getCfgScope(result) = scriptBlock }
+
   cached
   Parameter getParameter(ParameterNodeImpl param) { result = param.getParameter() }
 
@@ -126,6 +144,11 @@ private module Cached {
     param.isParameterOf(c, result)
   }
 
+  cached
+  ParameterPosition getSourceParameterPosition(ParameterNodeImpl param, ScriptBlock c) {
+    param.isSourceParameterOf(c, result)
+  }
+
   cached
   Node getPreUpdateNode(PostUpdateNodeImpl node) { result = node.getPreUpdateNode() }
 

powershell/ql/lib/semmle/code/powershell/dataflow/internal/FlowSummaryImpl.qll

@@ -111,6 +111,8 @@ private import Make<Location, DataFlowImplSpecific::PowershellDataFlow, Input> a
 private module StepsInput implements Impl::Private::StepsInputSig {
   DataFlowCall getACall(Public::SummarizedCallable sc) {
     result.asCall().getAstNode() = sc.(LibraryCallable).getACall()
+    or
+    result.asCall().getAstNode() = sc.(LibraryCallable).getACallSimple()
   }
 }
 

powershell/ql/lib/semmle/code/powershell/typetracking/internal/TypeTrackingImpl.qll

@@ -13,14 +13,28 @@ private import semmle.code.powershell.dataflow.internal.DataFlowDispatch as Data
 private import semmle.code.powershell.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import codeql.util.Unit
 
+pragma[noinline]
+private predicate sourceArgumentPositionMatch(
+  CallCfgNode call, DataFlowPrivate::ArgumentNode arg, DataFlowDispatch::ParameterPosition ppos
+) {
+  exists(DataFlowDispatch::ArgumentPosition apos |
+    arg.sourceArgumentOf(call, apos) and
+    DataFlowDispatch::parameterMatch(ppos, apos)
+  )
+}
+
 pragma[noinline]
 private predicate argumentPositionMatch(
   DataFlowDispatch::DataFlowCall call, DataFlowPrivate::ArgumentNode arg,
   DataFlowDispatch::ParameterPosition ppos
 ) {
+  sourceArgumentPositionMatch(call.asCall(), arg, ppos)
+  or
   exists(DataFlowDispatch::ArgumentPosition apos |
+    DataFlowDispatch::parameterMatch(ppos, apos) and
     arg.argumentOf(call, apos) and
-    DataFlowDispatch::parameterMatch(ppos, apos)
+    call.getEnclosingCallable().asLibraryCallable() instanceof
+      DataFlowDispatch::LibraryCallableToIncludeInTypeTracking
   )
 }
 
@@ -31,6 +45,12 @@ private predicate viableParam(
 ) {
   exists(DataFlowDispatch::DataFlowCallable callable |
     DataFlowDispatch::getTarget(call) = callable.asCfgScope()
+    or
+    call.asCall().getAstNode() =
+      callable
+          .asLibraryCallable()
+          .(DataFlowDispatch::LibraryCallableToIncludeInTypeTracking)
+          .getACallSimple()
   |
     p.isParameterOf(callable, ppos)
   )
@@ -103,45 +123,33 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
 
   // Relating nodes to summaries
   Node argumentOf(Node call, SummaryComponent arg, boolean isPostUpdate) {
-    // exists(
-    //   DataFlowDispatch::ParameterPosition pos, DataFlowPrivate::ArgumentNode n,
-    //   DataFlowDispatch::DataFlowCall dfCall
-    // |
-    //   arg = FlowSummaryImpl::Private::SummaryComponent::argument(pos) and
-    //   // TODO: Make this look more like Ruby when we know why it should be like Ruby
-    //   dfCall.asCall() = call.(DataFlow::AstNode).getCfgNode() and
-    //   argumentPositionMatch(dfCall, n, pos)
-    // |
-    //   isPostUpdate = false and result = n
-    //   or
-    //   isPostUpdate = true and result.(DataFlowPublic::PostUpdateNode).getPreUpdateNode() = n
-    // )
-    none()
+    exists(DataFlowDispatch::ParameterPosition pos, DataFlowPrivate::ArgumentNode n |
+      arg = FlowSummaryImpl::Private::SummaryComponent::argument(pos) and
+      sourceArgumentPositionMatch(call.asExpr(), n, pos)
+    |
+      isPostUpdate = false and result = n
+      or
+      isPostUpdate = true and result.(DataFlowPublic::PostUpdateNode).getPreUpdateNode() = n
+    )
   }
 
   Node parameterOf(Node callable, SummaryComponent param) {
-    // exists(DataFlowDispatch::ArgumentPosition apos, DataFlowDispatch::ParameterPosition ppos |
-    //   param = FlowSummaryImpl::Private::SummaryComponent::parameter(apos) and
-    //   DataFlowDispatch::parameterMatch(ppos, apos) and
-    //   result
-    //       .(DataFlowPrivate::ParameterNodeImpl)
-    //       .isSourceParameterOf(callable, ppos)
-    // )
-    // TODO
-    none()
+    exists(DataFlowDispatch::ArgumentPosition apos, DataFlowDispatch::ParameterPosition ppos |
+      param = FlowSummaryImpl::Private::SummaryComponent::parameter(apos) and
+      DataFlowDispatch::parameterMatch(ppos, apos) and
+      result.(DataFlowPrivate::ParameterNodeImpl).isSourceParameterOf(callable.asCallable(), ppos)
+    )
   }
 
   Node returnOf(Node callable, SummaryComponent return) {
-    // return = FlowSummaryImpl::Private::SummaryComponent::return() and
-    // result.(DataFlowPrivate::ReturnNode).(DataFlowPrivate::NodeImpl).getCfgScope() =
-    //   callable.asExpr().getExpr()
-    // TODO
-    none()
+    return = FlowSummaryImpl::Private::SummaryComponent::return() and
+    result.(DataFlowPrivate::ReturnNode).(DataFlowPrivate::NodeImpl).getCfgScope() =
+      callable.asCallable()
   }
 
   // Relating callables to nodes
   Node callTo(SummarizedCallable callable) {
-    result.asExpr().getExpr() = callable.(FlowSummary::SummarizedCallable).getACall()
+    result.asExpr().getExpr() = callable.(FlowSummary::SummarizedCallable).getACallSimple()
   }
 }