PS: Models-as-data skeleton.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/Call.qll

@@ -6,6 +6,8 @@ private import semmle.code.powershell.controlflow.CfgNodes
 abstract private class AbstractCall extends Ast {
   abstract Expr getCommand();
 
+  abstract string getName();
+
   /** Gets the i'th argument to this call. */
   abstract Expr getArgument(int i);
 
@@ -34,6 +36,8 @@ class CmdCall extends AbstractCall instanceof Cmd {
 
   final override Expr getPositionalArgument(int i) { result = Cmd.super.getPositionalArgument(i) }
 
+  final override string getName() { result = Cmd.super.getCommandName() }
+
   final override Expr getArgument(int i) { result = Cmd.super.getArgument(i) }
 
   final override Expr getNamedArgument(string name) { result = Cmd.super.getNamedArgument(name) }
@@ -68,6 +72,8 @@ class MethodCall extends AbstractCall instanceof InvokeMemberExpr {
       result.getBody() = getTarget(call)
     )
   }
+
+  final override string getName() { result = InvokeMemberExpr.super.getName() }
 }
 
 final class Call = AbstractCall;

powershell/ql/lib/semmle/code/powershell/Frameworks.qll

@@ -0,0 +1,59 @@
+/** Provides classes and predicates for defining flow summaries. */
+
+import powershell
+private import semmle.code.powershell.controlflow.Cfg
+private import semmle.code.powershell.typetracking.TypeTracking
+import semmle.code.powershell.dataflow.DataFlow
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowDispatch
+private import internal.DataFlowImplCommon as DataFlowImplCommon
+private import internal.DataFlowPrivate
+
+// import all instances below
+private module Summaries {
+  private import semmle.code.powershell.Frameworks
+  private import semmle.code.powershell.frameworks.data.ModelsAsData
+}
+
+/** A callable with a flow summary, identified by a unique string. */
+abstract class SummarizedCallable extends LibraryCallable, Impl::Public::SummarizedCallable {
+  bindingset[this]
+  SummarizedCallable() { any() }
+
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    this.propagatesFlow(input, output, preservesValue) and model = ""
+  }
+
+  /**
+   * Holds if data may flow from `input` to `output` through this callable.
+   *
+   * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
+   */
+  predicate propagatesFlow(string input, string output, boolean preservesValue) { none() }
+
+  /**
+   * Gets the synthesized parameter that results from an input specification
+   * that starts with `Argument[s]` for this library callable.
+   */
+  DataFlow::ParameterNode getParameter(string s) {
+    exists(ParameterPosition pos |
+      DataFlowImplCommon::parameterNode(result, TLibraryCallable(this), pos) and
+      s = Impl::Input::encodeParameterPosition(pos)
+    )
+  }
+}
+
+/**
+ * A callable with a flow summary, identified by a unique string, where all
+ * calls to a method with the same name are considered relevant.
+ */
+abstract class SimpleSummarizedCallable extends SummarizedCallable {
+  Call c;
+
+  bindingset[this]
+  SimpleSummarizedCallable() { c.getName() = this }
+
+  final override MethodCall getACall() { result = c }
+}

powershell/ql/lib/semmle/code/powershell/dataflow/FlowSummary.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides an extension point for modeling user-controlled data.
+ * Such data is often used as data-flow sources in security queries.
+ */
+
+private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
+// Need to import since frameworks can extend `RemoteFlowSource::Range`
+private import semmle.code.powershell.Frameworks
+
+/**
+ * A data flow source of remote user input.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `RemoteFlowSource::Range` instead.
+ */
+class RemoteFlowSource extends DataFlow::Node instanceof RemoteFlowSource::Range {
+  /** Gets a string that describes the type of this remote flow source. */
+  string getSourceType() { result = super.getSourceType() }
+}
+
+/** Provides a class for modeling new sources of remote user input. */
+module RemoteFlowSource {
+  /**
+   * A data flow source of remote user input.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `RemoteFlowSource` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    abstract string getSourceType();
+  }
+}

powershell/ql/lib/semmle/code/powershell/dataflow/RemoteFlowSources.qll

@@ -3,6 +3,8 @@ private import semmle.code.powershell.Cfg
 private import DataFlowPrivate
 private import DataFlowPublic
 private import semmle.code.powershell.typetracking.internal.TypeTrackingImpl
+private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.powershell.dataflow.FlowSummary
 private import codeql.util.Boolean
 private import codeql.util.Unit
 
@@ -108,6 +110,24 @@ abstract class DataFlowCall extends TDataFlowCall {
   }
 }
 
+class SummaryCall extends DataFlowCall, TSummaryCall {
+  private FlowSummaryImpl::Public::SummarizedCallable c;
+  private FlowSummaryImpl::Private::SummaryNode receiver;
+
+  SummaryCall() { this = TSummaryCall(c, receiver) }
+
+  /** Gets the data flow node that this call targets. */
+  FlowSummaryImpl::Private::SummaryNode getReceiver() { result = receiver }
+
+  override DataFlowCallable getEnclosingCallable() { result.asLibraryCallable() = c }
+
+  override CfgNodes::CallCfgNode asCall() { none() }
+
+  override string toString() { result = "[summary] call to " + receiver + " in " + c }
+
+  override EmptyLocation getLocation() { any() }
+}
+
 class NormalCall extends DataFlowCall, TNormalCall {
   private CfgNodes::CallCfgNode c;
 
@@ -218,7 +238,13 @@ private module Cached {
     TLibraryCallable(LibraryCallable callable)
 
   cached
-  newtype TDataFlowCall = TNormalCall(CfgNodes::CallCfgNode c)
+  newtype TDataFlowCall =
+    TNormalCall(CfgNodes::CallCfgNode c) or
+    TSummaryCall(
+      FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
+    ) {
+      FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
+    }
 
   /** Gets a viable run-time target for the call `call`. */
   cached
@@ -234,12 +260,18 @@ private module Cached {
   cached
   newtype TArgumentPosition =
     TThisArgumentPosition() or
-    TKeywordArgumentPosition(string name) { name = any(Argument p).getName() } or
+    TKeywordArgumentPosition(string name) {
+      name = any(Argument p).getName()
+      or
+      FlowSummaryImpl::ParsePositions::isParsedKeywordParameterPosition(_, name)
+    } or
     TPositionalArgumentPosition(int pos, NamedSet ns) {
       exists(CfgNodes::CallCfgNode call |
         call = ns.getABindingCall() and
         exists(call.getArgument(pos))
       )
+      or
+      FlowSummaryImpl::ParsePositions::isParsedParameterPosition(_, pos)
     } or
     TPipelineArgumentPosition()