PS: Implement global dataflow for environment variable write/reads.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/dataflow/Ssa.qll

@@ -130,6 +130,21 @@ module Ssa {
     final override Location getLocation() { result = this.getBasicBlock().getLocation() }
   }
 
+  class InitialEnvVarDefinition extends Definition, SsaImpl::WriteDefinition {
+    private EnvVariable v;
+
+    InitialEnvVarDefinition() {
+      exists(BasicBlock bb, int i |
+        this.definesAt(v, bb, i) and
+        SsaImpl::envVarWrite(bb, i, v)
+      )
+    }
+
+    final override string toString() { result = "<initial env var> " + v }
+
+    final override Location getLocation() { result = this.getBasicBlock().getLocation() }
+  }
+
   /**  phi node. */
   class PhiNode extends Definition, SsaImpl::PhiNode {
     /** Gets an input of this phi node. */

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -65,7 +65,7 @@ module SsaFlow {
   Impl::Node asNode(Node n) {
     n = TSsaNode(result)
     or
-    result.(Impl::ExprNode).getExpr() = n.asExpr()
+    result.(Impl::ExprNode).getExpr().asExprCfgNode() = n.asExpr()
     or
     exists(CfgNodes::ProcessBlockCfgNode pb, BasicBlock bb, int i |
       n.(ProcessNode).getProcessBlock() = pb and
@@ -86,14 +86,20 @@ module SsaFlow {
       result.(Impl::SsaDefinitionNode).getDefinition().definesAt(p.getIteratorVariable(), bb, i)
     )
     or
-    result.(Impl::ExprPostUpdateNode).getExpr() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
+    result.(Impl::ExprPostUpdateNode).getExpr().asExprCfgNode() =
+      n.(PostUpdateNode).getPreUpdateNode().asExpr()
     or
     exists(SsaImpl::ParameterExt p |
       n = toParameterNode(p) and
       p.isInitializedBy(result.(Impl::WriteDefSourceNode).getDefinition())
     )
     or
     result.(Impl::WriteDefSourceNode).getDefinition().(Ssa::WriteDefinition).assigns(n.asExpr())
+    or
+    exists(Scope scope, EnvVariable v |
+      result.(Impl::ExprNode).getExpr().isFinalEnvVarRead(scope, v) and
+      n = TFinalEnvVarRead(scope, v)
+    )
   }
 
   predicate localFlowStep(
@@ -241,7 +247,15 @@ private module Cached {
       // We want to prune irrelevant models before materialising data flow nodes, so types contributed
       // directly from CodeQL must expose their pruning info without depending on data flow nodes.
       (any(ModelInput::TypeModel tm).isTypeUsed("") implies any())
-    }
+    } or
+    TFinalEnvVarRead(Scope scope, EnvVariable envVar) {
+      exists(ExitBasicBlock exit |
+        envVar.getAnAccess().getEnclosingScope() = scope and
+        exit.getScope() = scope and
+        SsaImpl::envVarRead(exit, _, envVar)
+      )
+    } or
+    TEnvVarNode(EnvVariable envVar)
 
   cached
   Location getLocation(NodeImpl n) { result = n.getLocationImpl() }
@@ -900,6 +914,15 @@ private module OutNodes {
 import OutNodes
 
 predicate jumpStep(Node pred, Node succ) {
+  // final env read -> env variable node
+  pred.(FinalEnvVarRead).getVariable() = succ.(EnvVarNode).getVariable()
+  or
+  // env variable node -> initial env def
+  exists(SsaImpl::Definition def |
+    succ.(SsaDefinitionNodeImpl).getDefinition() = def and
+    def.definesAt(pred.(EnvVarNode).getVariable(), any(EntryBasicBlock entry), -1)
+  )
+  or
   FlowSummaryImpl::Private::Steps::summaryJumpStep(pred.(FlowSummaryNode).getSummaryNode(),
     succ.(FlowSummaryNode).getSummaryNode())
 }
@@ -1308,6 +1331,39 @@ class ScriptBlockNode extends TScriptBlockNode, NodeImpl {
   override predicate nodeIsHidden() { any() }
 }
 
+class EnvVarNode extends TEnvVarNode, NodeImpl {
+  private EnvVariable v;
+
+  EnvVarNode() { this = TEnvVarNode(v) }
+
+  EnvVariable getVariable() { result = v }
+
+  override CfgScope getCfgScope() { result = v.getEnclosingScope() }
+
+  override Location getLocationImpl() { result = v.getLocation() }
+
+  override string toStringImpl() { result = v.toString() }
+
+  override predicate nodeIsHidden() { any() }
+}
+
+class FinalEnvVarRead extends TFinalEnvVarRead, NodeImpl {
+  Scope scope;
+  private EnvVariable v;
+
+  FinalEnvVarRead() { this = TFinalEnvVarRead(scope, v) }
+
+  EnvVariable getVariable() { result = v }
+
+  override CfgScope getCfgScope() { result = scope }
+
+  override Location getLocationImpl() { result = scope.getLocation() }
+
+  override string toStringImpl() { result = v.toString() + " after " + scope }
+
+  override predicate nodeIsHidden() { any() }
+}
+
 /** A node that performs a type cast. */
 class CastNode extends Node {
   CastNode() { none() }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/SsaImpl.qll

@@ -29,6 +29,8 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
     (
       uninitializedWrite(bb, i, v)
       or
+      envVarWrite(bb, i, v)
+      or
       variableWriteActual(bb, i, v, _)
       or
       exists(ProcessBlockCfgNode processBlock | bb.getNode(i) = processBlock |
@@ -43,7 +45,11 @@ module SsaInput implements SsaImplCommon::InputSig<Location> {
   }
 
   predicate variableRead(BasicBlock bb, int i, Variable v, boolean certain) {
-    variableReadActual(bb, i, v) and
+    (
+      variableReadActual(bb, i, v)
+      or
+      envVarRead(bb, i, v)
+    ) and
     certain = true
   }
 }
@@ -66,6 +72,14 @@ predicate uninitializedWrite(Cfg::EntryBasicBlock bb, int i, Variable v) {
   bb.getANode().getAstNode() = v
 }
 
+predicate envVarWrite(Cfg::EntryBasicBlock bb, int i, EnvVariable v) {
+  exists(VarReadAccess va |
+    va.getVariable() = v and
+    va.getEnclosingFunction().getBody() = bb.getScope() and
+    i = -1
+  )
+}
+
 predicate parameterWrite(Cfg::EntryBasicBlock bb, int i, Parameter p) {
   bb.getNode(i).getAstNode() = p
 }
@@ -78,6 +92,14 @@ private predicate variableReadActual(Cfg::BasicBlock bb, int i, Variable v) {
   )
 }
 
+predicate envVarRead(Cfg::ExitBasicBlock bb, int i, EnvVariable v) {
+  exists(VarWriteAccess va |
+    va.getVariable() = v and
+    va.getEnclosingFunction().getBody() = bb.getScope() and
+    bb.getNode(i) instanceof ExitNode
+  )
+}
+
 cached
 private module Cached {
   /**
@@ -165,7 +187,7 @@ private module Cached {
       private predicate guardChecksAdjTypes(
         DataFlowIntegrationInput::Guard g, DataFlowIntegrationInput::Expr e, boolean branch
       ) {
-        guardChecks(g, e, branch)
+        guardChecks(g, e.asExprCfgNode(), branch)
       }
 
       private Node getABarrierNodeImpl() {
@@ -261,11 +283,48 @@ class ParameterExt extends TParameterExt {
 }
 
 private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
-  class Expr extends Cfg::CfgNodes::ExprCfgNode {
-    predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { this = bb.getNode(i) }
+  private newtype TExpr =
+    TExprCfgNode(Cfg::CfgNodes::ExprCfgNode e) or
+    TFinalEnvVarRead(Scope scope, EnvVariable v) {
+      exists(Cfg::ExitBasicBlock exit |
+        exit.getScope() = scope and
+        envVarRead(exit, _, v)
+      )
+    }
+
+  class Expr extends TExpr {
+    Cfg::CfgNodes::ExprCfgNode asExprCfgNode() { this = TExprCfgNode(result) }
+
+    predicate isFinalEnvVarRead(Scope scope, EnvVariable v) { this = TFinalEnvVarRead(scope, v) }
+
+    predicate hasCfgNode(SsaInput::BasicBlock bb, int i) {
+      this.asExprCfgNode() = bb.getNode(i)
+      or
+      exists(EnvVariable v |
+        this.isFinalEnvVarRead(bb.getScope(), v) and
+        bb.getNode(i) instanceof ExitNode
+      )
+    }
+
+    string toString() {
+      result = this.asExprCfgNode().toString()
+      or
+      exists(EnvVariable v |
+        this.isFinalEnvVarRead(_, v) and
+        result = v.toString()
+      )
+    }
   }
 
-  Expr getARead(Definition def) { result = Cached::getARead(def) }
+  Expr getARead(Definition def) {
+    result.asExprCfgNode() = Cached::getARead(def)
+    or
+    exists(Variable v, Cfg::BasicBlock bb, int i |
+      Impl::ssaDefReachesRead(v, def, bb, i) and
+      envVarRead(bb, i, v) and
+      result.isFinalEnvVarRead(bb.getScope(), v)
+    )
+  }
 
   predicate ssaDefHasSource(WriteDefinition def) {
     any(ParameterExt p).isInitializedBy(def) or def.(Ssa::WriteDefinition).assigns(_)
@@ -280,6 +339,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
     predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
       this.hasBranchEdge(bb1, bb2, branch)
     }
+
     /**
      * Holds if the evaluation of this guard to `branch` corresponds to the edge
      * from `bb1` to `bb2`.
@@ -291,8 +351,6 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
         s.getValue() = branch
       )
     }
-
-    
   }
 
   /** Holds if the guard `guard` controls block `bb` upon evaluating to `branch`. */