PS: Fix false positive by fixing the 'getCommand' predicates in 'CallOperatorCfgNode' and 'CallOperator'. Also fix 'DotSourcingOperator::getPath' while here.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/ast/internal/Command.qll

@@ -76,14 +76,14 @@ class CmdCall extends CallExpr, TCmd {
 class CallOperator extends CmdCall {
   CallOperator() { getRawAst(this) instanceof Raw::CallOperator }
 
-  Expr getCommand() { result = this.getArgument(0) }
+  Expr getCommand() { result = this.getCallee() }
 }
 
 /** A call to the dot-sourcing `.`. */
 class DotSourcingOperator extends CmdCall {
   DotSourcingOperator() { getRawAst(this) instanceof Raw::DotSourcingOperator }
 
-  Expr getPath() { result = this.getArgument(0) }
+  Expr getPath() { result = this.getCallee() }
 }
 
 class JoinPath extends CmdCall {

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -605,7 +605,7 @@ module ExprNodes {
 
     override CallOperator getExpr() { result = e }
 
-    ExprCfgNode getCommand() { result = this.getArgument(0) }
+    ExprCfgNode getCommand() { result = this.getCallee() }
   }
 
   private class ToStringCallChildmapping extends CallExprChildMapping instanceof ToStringCall {

powershell/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected

@@ -53,7 +53,6 @@ edges
 | test.ps1:170:36:170:41 | input | test.ps1:129:11:129:20 | userinput | provenance |  |
 | test.ps1:172:42:172:47 | input | test.ps1:136:11:136:20 | userinput | provenance |  |
 | test.ps1:173:42:173:47 | input | test.ps1:144:11:144:20 | userinput | provenance |  |
-| test.ps1:214:10:214:32 | Call to read-host | test.ps1:215:16:215:19 | $o | provenance | Src:MaD:0  |
 nodes
 | test.ps1:3:11:3:20 | userinput | semmle.label | userinput |
 | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | semmle.label | Get-Process -Name $UserInput |
@@ -110,8 +109,6 @@ nodes
 | test.ps1:170:36:170:41 | input | semmle.label | input |
 | test.ps1:172:42:172:47 | input | semmle.label | input |
 | test.ps1:173:42:173:47 | input | semmle.label | input |
-| test.ps1:214:10:214:32 | Call to read-host | semmle.label | Call to read-host |
-| test.ps1:215:16:215:19 | $o | semmle.label | $o |
 subpaths
 #select
 | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:4:23:4:52 | Get-Process -Name $UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
@@ -132,4 +129,3 @@ subpaths
 | test.ps1:131:28:131:37 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:131:28:131:37 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:139:50:139:59 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:139:50:139:59 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
 | test.ps1:147:63:147:72 | UserInput | test.ps1:152:10:152:32 | Call to read-host | test.ps1:147:63:147:72 | UserInput | This command depends on a $@. | test.ps1:152:10:152:32 | Call to read-host | user-provided value |
-| test.ps1:215:16:215:19 | $o | test.ps1:214:10:214:32 | Call to read-host | test.ps1:215:16:215:19 | $o | This command depends on a $@. | test.ps1:214:10:214:32 | Call to read-host | user-provided value |

powershell/ql/test/query-tests/security/cwe-078/CommandInjection/test.ps1

@@ -212,5 +212,5 @@ Invoke-InvokeExpressionInjectionSafe4 -UserInput $input
 function false-positive-in-call-operator($d)
 {
     $o = Read-Host "enter input"
-    & unzip -o "$o" -d $d # GOOD [FALSE POSITIVE]
+    & unzip -o "$o" -d $d # GOOD
 }