PS: Add flow into, and out of, the new implicit unwrapping nodes.

Author: MathiasVP

powershell/ql/lib/powershell.qll

@@ -7,6 +7,7 @@ import semmle.code.powershell.Expression
 import semmle.code.powershell.CommandBase
 import semmle.code.powershell.AttributeBase
 import semmle.code.powershell.PipelineBase
+import semmle.code.powershell.PipelineChain
 import semmle.code.powershell.BaseConstantExpression
 import semmle.code.powershell.ConstantExpression
 import semmle.code.powershell.MemberExpressionBase

powershell/ql/lib/semmle/code/powershell/Function.qll

@@ -50,6 +50,12 @@ abstract private class AbstractFunction extends Ast {
     result = this.getBody().getParamBlock().getParameter(i)
   }
 
+  final Parameter getParameterExcludingPipline(int i) {
+    result = this.getFunctionParameter(i)
+    or
+    result = this.getBody().getParamBlock().getParameterExcludingPipline(i)
+  }
+
   final Parameter getThisParameter() {
     result.isThis() and
     result.getFunction() = this

powershell/ql/lib/semmle/code/powershell/NamedAttributeArgument.qll

@@ -1,11 +1,15 @@
 import powershell
 
 class NamedAttributeArgument extends @named_attribute_argument, Ast {
-  final override string toString() { result = this.getValue().toString() }
+  final override string toString() { result = this.getName() }
 
   final override SourceLocation getLocation() { named_attribute_argument_location(this, result) }
 
   string getName() { named_attribute_argument(this, result, _) }
 
   Expr getValue() { named_attribute_argument(this, _, result) }
 }
+
+class ValueFromPipelineAttribute extends NamedAttributeArgument {
+  ValueFromPipelineAttribute() { this.getName() = "ValueFromPipeline" }
+}

powershell/ql/lib/semmle/code/powershell/ParamBlock.qll

@@ -15,5 +15,7 @@ class ParamBlock extends @param_block, Ast {
 
   Parameter getParameter(int i) { result.hasParameterBlock(this, i) }
 
+  Parameter getParameterExcludingPipline(int i) { result.hasParameterBlockExcludingPipeline(this, i) }
+
   Parameter getAParameter() { result = this.getParameter(_) }
 }

powershell/ql/lib/semmle/code/powershell/Variable.qll

@@ -10,6 +10,19 @@ private predicate hasParameterBlockImpl(Internal::Parameter p, ParamBlock block,
   param_block_parameter(block, i, p)
 }
 
+private predicate hasParameterBlockExcludingPipelineImpl(
+  Internal::Parameter p, ParamBlock block, int i
+) {
+  p =
+    rank[i + 1](Internal::Parameter cand, int j |
+      hasParameterBlockImpl(cand, block, j) and
+      not cand.getAnAttribute().(Attribute).getANamedArgument() instanceof
+        ValueFromPipelineAttribute
+    |
+      cand order by j
+    )
+}
+
 /**
  * Gets the enclosing scope of `p`.
  *
@@ -56,10 +69,14 @@ private class ParameterImpl extends TParameterImpl {
 
   predicate hasParameterBlock(ParamBlock block, int i) { none() }
 
+  predicate hasParameterBlockExcludingPipeline(ParamBlock block, int i) { none() }
+
   predicate isFunctionParameter(Function f, int i) { none() }
 
   Expr getDefaultValue() { none() }
 
+  abstract Attribute getAnAttribute();
+
   VarAccess getAnAccess() {
     // TODO: This won't join order nicely.
     result.getUserPath() = this.getName() and
@@ -82,9 +99,15 @@ private class InternalParameter extends ParameterImpl, TInternalParameter {
     hasParameterBlockImpl(p, block, i)
   }
 
+  override predicate hasParameterBlockExcludingPipeline(ParamBlock block, int i) {
+    hasParameterBlockExcludingPipelineImpl(p, block, i)
+  }
+
   override predicate isFunctionParameter(Function f, int i) { isFunctionParameterImpl(p, f, i) }
 
   override Expr getDefaultValue() { result = p.getDefaultValue() }
+
+  override Attribute getAnAttribute() { result = p.getAnAttribute() }
 }
 
 /**
@@ -113,6 +136,8 @@ private class Underscore extends ParameterImpl, TUnderscore {
   override string getName() { result = "_" }
 
   final override Scope getEnclosingScope() { result = scope }
+
+  final override Attribute getAnAttribute() { none() }
 }
 
 private class ThisParameter extends ParameterImpl, TThisParameter {
@@ -125,6 +150,8 @@ private class ThisParameter extends ParameterImpl, TThisParameter {
   override string getName() { result = "this" }
 
   final override Scope getEnclosingScope() { result = scope }
+
+  final override Attribute getAnAttribute() { none() }
 }
 
 private newtype TVariable =
@@ -199,6 +226,10 @@ class Parameter extends AbstractLocalScopeVariable, TParameter {
 
   predicate hasParameterBlock(ParamBlock block, int i) { p.hasParameterBlock(block, i) }
 
+  predicate hasParameterBlockExcludingPipeline(ParamBlock block, int i) {
+    p.hasParameterBlockExcludingPipeline(block, i)
+  }
+
   predicate isFunctionParameter(Function f, int i) { p.isFunctionParameter(f, i) }
 
   Expr getDefaultValue() { result = p.getDefaultValue() }
@@ -215,11 +246,23 @@ class Parameter extends AbstractLocalScopeVariable, TParameter {
    */
   int getIndex() { result = this.getFunctionIndex() or result = this.getBlockIndex() }
 
+  int getIndexExcludingPipeline() {
+    result = this.getFunctionIndex() or result = this.getBlockIndexExcludingPipeline()
+  }
+
   /** Gets the index of this parameter in the parameter block, if any. */
   int getBlockIndex() { this.hasParameterBlock(_, result) }
 
+  int getBlockIndexExcludingPipeline() { this.hasParameterBlockExcludingPipeline(_, result) }
+
   /** Gets the index of this parameter in the function, if any. */
   int getFunctionIndex() { this.isFunctionParameter(_, result) }
 
   Function getFunction() { result.getBody() = this.getDeclaringScope() }
+
+  Attribute getAnAttribute() { result = p.getAnAttribute() }
+
+  predicate isPipeline() {
+    this.getAnAttribute().getANamedArgument() instanceof ValueFromPipelineAttribute
+  }
 }

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -130,20 +130,34 @@ abstract private class NonExprChildMapping extends ChildMapping {
 abstract private class AbstractCallCfgNode extends AstCfgNode {
   override string getAPrimaryQlClass() { result = "CfgCall" }
 
+  /** Holds if this call invokes a function with the name `name`. */
   final predicate hasName(string name) { this.getName() = name }
 
+  /** Gets the name of the function that is invoked by this call. */
   abstract string getName();
 
+  /** Gets the qualifier of this call, if any. */
   ExprCfgNode getQualifier() { none() }
 
+  /** Gets the i'th argument to this call. */
   abstract ExprCfgNode getArgument(int i);
 
+  /** Gets the i'th positional argument to this call. */
   abstract ExprCfgNode getPositionalArgument(int i);
 
+  /** Gets the argument with the name `name`, if any. */
   abstract ExprCfgNode getNamedArgument(string name);
 
+  /**
+   * Gets any argument of this call.
+   *
+   * Note that this predicate doesn't get the pipeline argument, if any.
+   */
   abstract ExprCfgNode getAnArgument();
 
+  /**
+   * Gets the expression that provides the call target of this call, if any.
+   */
   abstract ExprCfgNode getCommand();
 }
 
@@ -381,12 +395,12 @@ module ExprNodes {
 }
 
 module StmtNodes {
-  private class CmdChildMapping extends NonExprChildMapping, Cmd {
+  private class CmdChildMapping extends CmdBaseChildMapping, Cmd {
     override predicate relevantChild(Ast n) { n = this.getAnArgument() or n = this.getCommand() }
   }
 
   /** A control-flow node that wraps a `Cmd` AST expression. */
-  class CmdCfgNode extends StmtCfgNode, AbstractCallCfgNode {
+  class CmdCfgNode extends CmdBaseCfgNode, AbstractCallCfgNode {
     override string getAPrimaryQlClass() { result = "CmdCfgNode" }
 
     override CmdChildMapping s;
@@ -410,14 +424,14 @@ module StmtNodes {
     final override string getName() { result = s.getCmdName().getValue().getValue() }
   }
 
-  private class AssignStmtChildMapping extends NonExprChildMapping, AssignStmt {
+  private class AssignStmtChildMapping extends PipelineBaseChildMapping, AssignStmt {
     override predicate relevantChild(Ast n) {
       n = this.getLeftHandSide() or n = this.getRightHandSide()
     }
   }
 
   /** A control-flow node that wraps an `AssignStmt` AST expression. */
-  class AssignStmtCfgNode extends StmtCfgNode {
+  class AssignStmtCfgNode extends PipelineBaseCfgNode {
     override string getAPrimaryQlClass() { result = "AssignCfgNode" }
 
     override AssignStmtChildMapping s;
@@ -431,12 +445,12 @@ module StmtNodes {
     final StmtCfgNode getRightHandSide() { s.hasCfgChild(s.getRightHandSide(), this, result) }
   }
 
-  class CmdExprChildMapping extends NonExprChildMapping, CmdExpr {
+  class CmdExprChildMapping extends CmdBaseChildMapping, CmdExpr {
     override predicate relevantChild(Ast n) { n = this.getExpr() }
   }
 
   /** A control-flow node that wraps a `CmdExpr` expression. */
-  class CmdExprCfgNode extends StmtCfgNode {
+  class CmdExprCfgNode extends CmdBaseCfgNode {
     override string getAPrimaryQlClass() { result = "CmdExprCfgNode" }
 
     override CmdExprChildMapping s;
@@ -445,4 +459,70 @@ module StmtNodes {
 
     final ExprCfgNode getExpr() { s.hasCfgChild(s.getExpr(), this, result) }
   }
+
+  class PipelineBaseChildMapping extends NonExprChildMapping, PipelineBase {
+    override predicate relevantChild(Ast n) { none() }
+  }
+
+  class PipelineBaseCfgNode extends StmtCfgNode {
+    override string getAPrimaryQlClass() { result = "PipelineBaseCfgNode" }
+
+    override PipelineBaseChildMapping s;
+
+    override PipelineBase getStmt() { result = super.getStmt() }
+  }
+
+  class ChainableChildMapping extends PipelineBaseChildMapping, Chainable {
+    override predicate relevantChild(Ast n) { none() }
+  }
+
+  class ChainableCfgNode extends PipelineBaseCfgNode {
+    override string getAPrimaryQlClass() { result = "ChainableCfgNode" }
+
+    override ChainableChildMapping s;
+
+    override Chainable getStmt() { result = super.getStmt() }
+  }
+
+  class PipelineChainChildMapping extends ChainableChildMapping, PipelineChain {
+    override predicate relevantChild(Ast n) { n = this.getLeft() or n = this.getRight() }
+  }
+
+  class PipelineChainCfgNode extends ChainableCfgNode {
+    override string getAPrimaryQlClass() { result = "PipelineChainCfgNode" }
+
+    override PipelineChainChildMapping s;
+
+    override PipelineChain getStmt() { result = super.getStmt() }
+
+    final ChainableCfgNode getLeft() { s.hasCfgChild(s.getLeft(), this, result) }
+
+    final ChainableCfgNode getRight() { s.hasCfgChild(s.getRight(), this, result) }
+  }
+
+  class CmdBaseChildMapping extends ChainableChildMapping, CmdBase { }
+
+  class CmdBaseCfgNode extends ChainableCfgNode {
+    override string getAPrimaryQlClass() { result = "CmdBaseCfgNode" }
+
+    override CmdBaseChildMapping s;
+
+    override CmdBase getStmt() { result = super.getStmt() }
+  }
+
+  class PipelineChildMapping extends ChainableChildMapping, Pipeline {
+    override predicate relevantChild(Ast n) { n = this.getAComponent() }
+  }
+
+  class PipelineCfgNode extends ChainableCfgNode {
+    override string getAPrimaryQlClass() { result = "PipelineCfgNode" }
+
+    override PipelineChildMapping s;
+
+    override Pipeline getStmt() { result = super.getStmt() }
+
+    final CmdBaseCfgNode getComponent(int i) { s.hasCfgChild(s.getComponent(i), this, result) }
+
+    final CmdBaseCfgNode getAComponent() { s.hasCfgChild(s.getAComponent(), this, result) }
+  }
 }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -96,6 +96,18 @@ module LocalFlow {
     nodeFrom.asStmt() = nodeTo.asStmt().(CfgNodes::StmtNodes::AssignStmtCfgNode).getRightHandSide()
     or
     nodeFrom.asExpr() = nodeTo.asStmt().(CfgNodes::StmtNodes::CmdExprCfgNode).getExpr()
+    or
+    nodeFrom.(AstNode).getCfgNode() = nodeTo.(PreReturNodeImpl).getReturnedNode()
+    or
+    exists(CfgNode cfgNode |
+      nodeFrom = TPreReturnNodeImpl(cfgNode, true) and
+      nodeTo = TImplicitWrapNode(cfgNode, false)
+    )
+    or
+    exists(CfgNode cfgNode |
+      nodeFrom = TImplicitWrapNode(cfgNode, false) and
+      nodeTo = TReturnNodeImpl(cfgNode.getScope())
+    )
   }
 
   predicate localMustFlowStep(Node nodeFrom, Node nodeTo) {