Merge pull request #215 from microsoft/ps-add-sql-injection-query

chanel-y · web-flow · commit 64dd13d4ebe4 · 2025-04-29T10:31:55.000-07:00
PS: Add SQL injection query
diff --git a/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll b/powershell/ql/lib/semmle/code/powershell/ApiGraphs.qll
@@ -577,7 +577,7 @@ module API {
       )
       or
       exists(MemberExprReadAccess read |
-        read.getMemberName().toLowerCase() = name and
+        read.getLowerCaseMemberName().toLowerCase() = name and
         pred = getForwardEndNode(getALocalSourceStrict(getNodeFromExpr(read.getQualifier()))) and
         succ = getForwardStartNode(getNodeFromExpr(read))
       )
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Constant.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Constant.qll
@@ -24,6 +24,10 @@ class ConstantValue extends TConstantValue {
   /** Gets the value of this consant. */
   string getValue() { none() }
 
+  bindingset[s]
+  pragma[inline_late]
+  final predicate stringMatches(string s) { this.asString().toLowerCase() = s.toLowerCase() }
+
   /** Gets the integer value of this constant, if any. */
   int asInt() { none() }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Function.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Function.qll
@@ -1,7 +1,7 @@
 private import AstImport
 
 class Function extends FunctionBase, TFunction {
-  final override string getName() { any(Synthesis s).functionName(this, result) }
+  final override string getLowerCaseName() { any(Synthesis s).functionName(this, result) }
 
   final override ScriptBlock getBody() { any(Synthesis s).functionScriptBlock(this, result) }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/FunctionBase.qll
@@ -2,11 +2,13 @@ private import AstImport
 private import semmle.code.powershell.controlflow.BasicBlocks
 
 class FunctionBase extends Ast, TFunctionBase {
-  final override string toString() { result = this.getName() }
+  final override string toString() { result = this.getLowerCaseName() }
 
-  string getName() { none() }
+  string getLowerCaseName() { none() }
 
-  final predicate hasName(string name) { name = this.getName() }
+  bindingset[name]
+  pragma[inline_late]
+  predicate nameMatches(string name) { this.getLowerCaseName() = name.toLowerCase() }
 
   ScriptBlock getBody() { none() }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Member.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Member.qll
@@ -1,12 +1,16 @@
 private import AstImport
 
 class Member extends Ast, TMember {
-  string getName() {
-    result = getRawAst(this).(Raw::Member).getName()
+  string getLowerCaseName() {
+    result = getRawAst(this).(Raw::Member).getName().toLowerCase()
     or
     any(Synthesis s).memberName(this, result)
   }
 
+  bindingset[name]
+  pragma[inline_late]
+  predicate memberNameMatches(string name) { this.getLowerCaseName() = name.toLowerCase() }
+
   Type getDeclaringType() { result.getAMember() = this }
 
   final Attribute getAttribute(int i) {
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/MemberExpr.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/MemberExpr.qll
@@ -28,19 +28,29 @@ class MemberExpr extends Expr, TMemberExpr {
   }
 
   /** Gets the name of the member being looked up, if any. */
-  string getMemberName() {
+  string getLowerCaseMemberName() {
     result =
-      getRawAst(this).(Raw::MemberExpr).getMember().(Raw::StringConstExpr).getValue().getValue()
+      getRawAst(this)
+          .(Raw::MemberExpr)
+          .getMember()
+          .(Raw::StringConstExpr)
+          .getValue()
+          .getValue()
+          .toLowerCase()
   }
 
+  bindingset[name]
+  pragma[inline_late]
+  predicate memberNameMatches(string name) { this.getLowerCaseMemberName() = name.toLowerCase() }
+
   predicate isNullConditional() { getRawAst(this).(Raw::MemberExpr).isNullConditional() }
 
   predicate isStatic() { getRawAst(this).(Raw::MemberExpr).isStatic() }
 
   final override string toString() {
-    result = this.getMemberName()
+    result = this.getLowerCaseMemberName()
     or
-    not exists(this.getMemberName()) and
+    not exists(this.getLowerCaseMemberName()) and
     result = "..."
   }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Method.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Method.qll
@@ -1,7 +1,7 @@
 private import AstImport
 
 class Method extends Member, FunctionBase, TMethod {
-  final override string getName() { result = Member.super.getName() }
+  final override string getLowerCaseName() { result = Member.super.getLowerCaseName() }
 
   final override ScriptBlock getBody() {
     exists(Raw::Ast r | r = getRawAst(this) |
@@ -24,9 +24,7 @@ class Method extends Member, FunctionBase, TMethod {
 
   predicate isConstructor() { getRawAst(this).(Raw::Method).isConstructor() }
 
-  ThisParameter getThisParameter() {
-    result.getFunction() = this
-  }
+  ThisParameter getThisParameter() { result.getFunction() = this }
 }
 
 /** A constructor definition. */
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/PropertyMember.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/PropertyMember.qll
@@ -1,7 +1,7 @@
 private import AstImport
 
 class PropertyMember extends Member, TPropertyMember {
-  final override string getName() { result = getRawAst(this).(Raw::PropertyMember).getName() }
+  final override string getLowerCaseName() { result = getRawAst(this).(Raw::PropertyMember).getName().toLowerCase() }
 
-  final override string toString() { result = this.getName() }
+  final override string toString() { result = this.getLowerCaseName() }
 }
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/Type.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/Type.qll
@@ -1,21 +1,21 @@
 private import AstImport
 
 class Type extends Ast, TTypeSynth {
-  override string toString() { result = this.getName() }
+  override string toString() { result = this.getLowerCaseName() }
 
   Member getMember(int i) { any(Synthesis s).typeMember(this, i, result) }
 
-  string getName() { any(Synthesis s).typeName(this, result) }
+  string getLowerCaseName() { any(Synthesis s).typeName(this, result) }
 
   Member getAMember() { result = this.getMember(_) }
 
-  Method getMethod(string name) { result = this.getAMember() and result.getName() = name }
+  Method getMethod(string name) { result = this.getAMember() and result.getLowerCaseName() = name }
 
   Method getAMethod() { result = this.getMethod(_) }
 
   Constructor getAConstructor() {
     result = this.getAMethod() and
-    result.getName() = this.getName()
+    result.getLowerCaseName() = this.getLowerCaseName()
   }
 
   TypeConstraint getBaseType(int i) { none() }
diff --git a/powershell/ql/lib/semmle/code/powershell/ast/internal/TypeDefinitionStmt.qll b/powershell/ql/lib/semmle/code/powershell/ast/internal/TypeDefinitionStmt.qll
@@ -1,9 +1,9 @@
 private import AstImport
 
 class TypeDefinitionStmt extends Stmt, TTypeDefinitionStmt {
-  string getName() { result = getRawAst(this).(Raw::TypeStmt).getName() }
+  string getLowerCaseName() { result = getRawAst(this).(Raw::TypeStmt).getName().toLowerCase() }
 
-  override string toString() { result = this.getName() }
+  override string toString() { result = this.getLowerCaseName() }
 
   Member getMember(int i) {
     exists(ChildIndex index, Raw::Ast r | index = typeStmtMember(i) and r = getRawAst(this) |
@@ -24,7 +24,7 @@ class TypeDefinitionStmt extends Stmt, TTypeDefinitionStmt {
 
   Constructor getAConstructor() {
     result = this.getAMethod() and
-    result.getName() = this.getName()
+    result.getLowerCaseName() = this.getLowerCaseName()
   }
 
   TypeConstraint getBaseType(int i) {
@@ -38,7 +38,7 @@ class TypeDefinitionStmt extends Stmt, TTypeDefinitionStmt {
 
   TypeConstraint getABaseType() { result = this.getBaseType(_) }
 
-  TypeDefinitionStmt getASubtype() { result.getABaseType().getName() = this.getName() }
+  TypeDefinitionStmt getASubtype() { result.getABaseType().getName() = this.getLowerCaseName() }
 
   Type getType() { synthChild(getRawAst(this), typeDefType(), result) }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll b/powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll
@@ -639,7 +639,11 @@ module ExprNodes {
 
     ExprCfgNode getMemberExpr() { e.hasCfgChild(e.getMemberExpr(), this, result) }
 
-    string getMemberName() { result = e.getMemberName() }
+    string getLowerCaseMemberName() { result = e.getLowerCaseMemberName() }
+
+    bindingset[name]
+    pragma[inline_late]
+    predicate memberNameMatches(string name) { this.getLowerCaseMemberName() = name.toLowerCase() }
 
     predicate isStatic() { e.isStatic() }
   }
@@ -1504,7 +1508,7 @@ module StmtNodes {
 
     Type getType() { result = s.getType() }
 
-    string getName() { result = s.getName() }
+    string getLowerCaseName() { result = s.getLowerCaseName() }
   }
 
   private class FunctionDefinitionChildMapping extends NonExprChildMapping, FunctionDefinitionStmt {
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll
@@ -210,10 +210,10 @@ Node trackInstance(string typename, boolean exact) {
 }
 
 private Type getTypeWithName(string s, boolean exact) {
-  result.getName() = s and
+  result.getLowerCaseName() = s and
   exact = true
   or
-  result.getASubtype+().getName() = s and
+  result.getASubtype+().getLowerCaseName() = s and
   exact = false
 }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll
@@ -353,9 +353,9 @@ private module Cached {
   cached
   newtype TContent =
     TFieldContent(string name) {
-      name = any(PropertyMember member).getName()
+      name = any(PropertyMember member).getLowerCaseName()
       or
-      name = any(MemberExpr me).getMemberName()
+      name = any(MemberExpr me).getLowerCaseMemberName()
     } or
     // A known map key
     TKnownKeyContent(ConstantValue cv) { exists(cv.asString()) } or
@@ -892,7 +892,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
   exists(CfgNodes::ExprNodes::MemberExprWriteAccessCfgNode var, Content::FieldContent fc |
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = var.getQualifier() and
     node1.asExpr() = var.getAssignStmt().getRightHandSide() and
-    fc.getName() = var.getMemberName() and
+    fc.getLowerCaseName() = var.getLowerCaseMemberName() and
     c.isSingleton(fc)
   )
   or
@@ -961,7 +961,7 @@ predicate readStep(Node node1, ContentSet c, Node node2) {
   exists(CfgNodes::ExprNodes::MemberExprReadAccessCfgNode var, Content::FieldContent fc |
     node2.asExpr() = var and
     node1.asExpr() = var.getQualifier() and
-    fc.getName() = var.getMemberName() and
+    fc.getLowerCaseName() = var.getLowerCaseMemberName() and
     c.isSingleton(fc)
   )
   or
@@ -1310,7 +1310,7 @@ predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c)
   exists(kind) and
   exists(FunctionBase f |
     f.getBody() = c.asCfgScope() and
-    creation.asExpr().(CmdName).getName() = f.getName()
+    creation.asExpr().(CmdName).getName() = f.getLowerCaseName()
   )
 }
 
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPublic.qll
@@ -301,7 +301,7 @@ module Content {
     FieldContent() { this = TFieldContent(name) }
 
     /** Gets the name of the field. */
-    string getName() { result = name }
+    string getLowerCaseName() { result = name }
 
     override string toString() { result = name }
   }
@@ -527,6 +527,9 @@ class CallNode extends ExprNode {
   /** Gets the argument with the name `name`, if any. */
   Node getNamedArgument(string name) { result.asExpr() = call.getNamedArgument(name) }
 
+  /** Holds if an argument with name `name` is provided to this call. */
+  predicate hasNamedArgument(string name) { call.hasNamedArgument(name) }
+
   /**
    * Gets any argument of this call.
    *
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll
@@ -0,0 +1,78 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * SQL-injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.ApiGraphs
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
+private import semmle.code.powershell.Cfg
+
+module SqlInjection {
+  /**
+   * A data flow source for SQL-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this flow source. */
+    abstract string getSourceType();
+  }
+
+  /**
+   * A data flow sink for SQL-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    abstract string getSinkType();
+  }
+
+  /**
+   * A sanitizer for SQL-injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of user input, considered as a flow source for command injection. */
+  class FlowSourceAsSource extends Source instanceof SourceNode {
+    override string getSourceType() { result = "user-provided value" }
+  }
+
+  class InvokeSqlCmdSink extends Sink {
+    InvokeSqlCmdSink() {
+      exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") |
+        this = call.getNamedArgument("query")
+        or
+        not call.hasNamedArgument("query") and
+        this = call.getArgument(0)
+      )
+    }
+
+    override string getSinkType() { result = "call to Invoke-Sqlcmd" }
+  }
+
+  class ConnectionStringWriteSink extends Sink {
+    string memberName;
+
+    ConnectionStringWriteSink() {
+      exists(CfgNodes::StmtNodes::AssignStmtCfgNode assign |
+        memberName = "CommandText" and
+        assign
+            .getLeftHandSide()
+            .(CfgNodes::ExprNodes::MemberExprCfgNode)
+            .memberNameMatches(memberName) and
+        assign.getRightHandSide() = this.asExpr()
+      )
+    }
+
+    override string getSinkType() { result = "write to " + memberName }
+  }
+
+  class SqlCmdSink extends Sink {
+    SqlCmdSink() {
+      exists(DataFlow::CallOperatorNode call |
+        call.getCommand().asExpr().getValue().stringMatches("sqlcmd") and
+        call.getAnArgument() = this
+      )
+    }
+
+    override string getSinkType() { result = "call to sqlcmd" }
+  }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionQuery.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionQuery.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * SQL-injection vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `SqlInjectionFlow` is needed, otherwise
+ * `SqlInjectionCustomizations` should be imported instead.
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.TaintTracking
+import SqlInjectionCustomizations::SqlInjection
+import semmle.code.powershell.dataflow.DataFlow
+
+private module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for reasoning about SQL-injection vulnerabilities.
+ */
+module SqlInjectionFlow = TaintTracking::Global<Config>;
diff --git a/powershell/ql/src/experimental/UseOfReservedCmdletChar.ql b/powershell/ql/src/experimental/UseOfReservedCmdletChar.ql
@@ -26,5 +26,5 @@ class ReservedCharacter extends string {
 }
 
 from Function f, ReservedCharacter r
-where f.getName().matches("%"+ r + "%")
+where f.getLowerCaseName().matches("%"+ r + "%")
 select f, "Function name contains a reserved character: " + r
diff --git a/powershell/ql/src/queries/security/cwe-089/SqlInjection.qhelp b/powershell/ql/src/queries/security/cwe-089/SqlInjection.qhelp
diff --git a/powershell/ql/src/queries/security/cwe-089/SqlInjection.ql b/powershell/ql/src/queries/security/cwe-089/SqlInjection.ql
diff --git a/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1 b/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1
diff --git a/powershell/ql/test/library-tests/ast/Expressions/expressions.expected b/powershell/ql/test/library-tests/ast/Expressions/expressions.expected
diff --git a/powershell/ql/test/library-tests/ast/parent.expected b/powershell/ql/test/library-tests/ast/parent.expected
diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected
diff --git a/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.qlref b/powershell/ql/test/query-tests/security/cwe-089/SqlInjection.qlref
diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1

Original file line number	Diff line number	Diff line change
`@@ -577,7 +577,7 @@ module API {`
`577`	`577`	`)`
`578`	`578`	`or`
`579`	`579`	`exists(MemberExprReadAccess read \|`
`580`		`- read.getMemberName().toLowerCase() = name and`
	`580`	`+ read.getLowerCaseMemberName().toLowerCase() = name and`
`581`	`581`	`pred = getForwardEndNode(getALocalSourceStrict(getNodeFromExpr(read.getQualifier()))) and`
`582`	`582`	`succ = getForwardStartNode(getNodeFromExpr(read))`
`583`	`583`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`private import AstImport`
`2`	`2`
`3`	`3`	`class PropertyMember extends Member, TPropertyMember {`
`4`		`- final override string getName() { result = getRawAst(this).(Raw::PropertyMember).getName() }`
	`4`	`+ final override string getLowerCaseName() { result = getRawAst(this).(Raw::PropertyMember).getName().toLowerCase() }`
`5`	`5`
`6`		`- final override string toString() { result = this.getName() }`
	`6`	`+ final override string toString() { result = this.getLowerCaseName() }`
`7`	`7`	`}`