PS: Taint flow through all calls to 'toString'.

MathiasVP · MathiasVP · commit 5f12d7c9704c · 2025-04-09T15:20:35.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/InvokeMemberExpression.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/InvokeMemberExpression.qll
@@ -72,3 +72,14 @@ class ConstructorCall extends InvokeMemberExpr {
   /** Gets the name of the type being constructed by this constructor call. */
   string getConstructedTypeName() { result = typename.getName() }
 }
+
+/**
+ * A call to a `toString` method. For example:
+ *
+ * ```powershell
+ * $x.ToString()
+ * ```
+ */
+class ToStringCall extends InvokeMemberExpr {
+  ToStringCall() { this.getName().toLowerCase() = "toString" }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -587,7 +587,7 @@ module ExprNodes {
   }
 
   private class CallOperatorChildMapping extends CallExprChildMapping instanceof CallOperator {
-    override predicate relevantChild(Ast child) { none() }
+    override predicate relevantChild(Ast child) { super.relevantChild(child) }
   }
 
   class CallOperatorCfgNode extends CallExprCfgNode {
@@ -600,6 +600,18 @@ module ExprNodes {
     ExprCfgNode getCommand() { result = this.getArgument(0) }
   }
 
+  private class ToStringCallChildmapping extends CallExprChildMapping instanceof ToStringCall {
+    override predicate relevantChild(Ast child) { super.relevantChild(child) }
+  }
+
+  class ToStringCallCfgNode extends CallExprCfgNode {
+    override string getAPrimaryQlClass() { result = "ToStringCallCfgNode" }
+
+    override ToStringCallChildmapping e;
+
+    override ToStringCall getExpr() { result = e }
+  }
+
   private class MemberExprChildMapping extends ExprChildMapping, MemberExpr {
     override predicate relevantChild(Ast child) {
       child = this.getQualifier()
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -534,6 +534,13 @@ class CallOperatorNode extends CallNode {
   Node getCommand() { result.asExpr() = call.getCommand() } // TODO: Alternatively, we could remap calls to & as command expressions.
 }
 
+/**
+ * A call to `ToString`, viewed as a node in a data flow graph.
+ */
+class ToStringCallNode extends CallNode {
+  override CfgNodes::ExprNodes::ToStringCallCfgNode call;
+}
+
 /** A use of a type name, viewed as a node in a data flow graph. */
 class TypeNameNode extends ExprNode {
   override CfgNodes::ExprNodes::TypeNameExprCfgNode n;
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll
@@ -57,6 +57,8 @@ private module Cached {
         or
         c.isAnyElement()
       )
+      or
+      nodeTo.(DataFlow::ToStringCallNode).getQualifier() = nodeFrom
     ) and
     model = ""
     or

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@ private module Cached {`
`57`	`57`	`or`
`58`	`58`	`c.isAnyElement()`
`59`	`59`	`)`
	`60`	`+ or`
	`61`	`+ nodeTo.(DataFlow::ToStringCallNode).getQualifier() = nodeFrom`
`60`	`62`	`) and`
`61`	`63`	`model = ""`
`62`	`64`	`or`