Merge pull request #113 from microsoft/powershell-element-content

PS: Add `ElementContent` for tracking flow through arrays

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/ConstantExpression.qll

@@ -9,3 +9,119 @@ class ConstExpr extends @constant_expression, BaseConstExpr {
 
   override string toString() { result = this.getValue().toString() }
 }
+
+private newtype TConstantValue =
+  TConstInteger(int value) {
+    exists(ConstExpr ce | ce.getType() = "Int32" and ce.getValue().getValue().toInt() = value)
+  } or
+  TConstDouble(float double) {
+    exists(ConstExpr ce | ce.getType() = "Double" and ce.getValue().getValue().toFloat() = double)
+  } or
+  TConstString(string value) { exists(StringLiteral sl | sl.getValue() = value) } or
+  TConstBoolean(boolean value) {
+    exists(VarAccess va |
+      value = true and
+      va.getUserPath() = "true"
+      or
+      value = false and
+      va.getUserPath() = "false"
+    )
+  } or
+  TNull()
+
+/** A constant value. */
+class ConstantValue extends TConstantValue {
+  /** Gets a string representation of this value. */
+  final string toString() { result = this.getValue() }
+
+  /** Gets the value of this consant. */
+  string getValue() { none() }
+
+  /** Gets the integer value of this constant, if any. */
+  int asInt() { none() }
+
+  /** Gets the floating point value of this constant, if any. */
+  float asDouble() { none() }
+
+  /** Gets the string value of this constant, if any. */
+  string asString() { none() }
+
+  /** Gets the boolean value of this constant, if any. */
+  boolean asBoolean() { none() }
+
+  /** Holds if this constant represents the null value. */
+  predicate isNull() { none() }
+
+  /** Gets a (unique) serialized version of this value. */
+  string serialize() { none() }
+
+  /** Gets an exprssion that has this value. */
+  Expr getAnExpr() { none() }
+}
+
+/** A constant integer value */
+class ConstInteger extends ConstantValue, TConstInteger {
+  final override int asInt() { this = TConstInteger(result) }
+
+  final override string getValue() { result = this.asInt().toString() }
+
+  final override string serialize() { result = this.getValue() }
+
+  final override ConstExpr getAnExpr() { result.getValue().getValue() = this.getValue() }
+}
+
+/** A constant floating point value. */
+class ConstDouble extends ConstantValue, TConstDouble {
+  final override float asDouble() { this = TConstDouble(result) }
+
+  final override string getValue() { result = this.asDouble().toString() }
+
+  final override string serialize() {
+    exists(string res | res = this.asDouble().toString() |
+      if exists(res.indexOf(".")) then result = res else result = res + ".0"
+    )
+  }
+
+  final override ConstExpr getAnExpr() { result.getValue().getValue() = this.getValue() }
+}
+
+/** A constant string value. */
+class ConstString extends ConstantValue, TConstString {
+  final override string asString() { this = TConstString(result) }
+
+  final override string getValue() { result = this.asString() }
+
+  final override string serialize() {
+    result = "\"" + this.asString().replaceAll("\"", "\\\"") + "\""
+  }
+
+  final override ConstExpr getAnExpr() { result.getValue().getValue() = this.getValue() }
+}
+
+/** A constant boolean value. */
+class ConstBoolean extends ConstantValue, TConstBoolean {
+  final override boolean asBoolean() { this = TConstBoolean(result) }
+
+  final override string getValue() { result = this.asBoolean().toString() }
+
+  final override string serialize() { result = this.getValue() }
+
+  final override VarAccess getAnExpr() {
+    this.asBoolean() = true and
+    result.getUserPath() = "true"
+    or
+    this.asBoolean() = false and
+    result.getUserPath() = "false"
+  }
+}
+
+/** The constant null value. */
+class NullConst extends ConstantValue, TNull {
+  final override predicate isNull() { any() }
+
+  final override string getValue() { result = "null" }
+
+  final override string serialize() { result = this.getValue() }
+
+  final override VarAccess getAnExpr() { result.getUserPath() = "null" }
+}

powershell/ql/lib/semmle/code/powershell/Expression.qll

@@ -1,3 +1,11 @@
 import powershell
 
-class Expr extends @expression, CmdElement { }
+/**
+ * An expression.
+ *
+ * This is the topmost class in the hierachy of all expression in PowerShell.
+ */
+class Expr extends @expression, CmdElement {
+  /** Gets the constant value of this expression, if this is known. */
+  final ConstantValue getValue() { result.getAnExpr() = this }
+}

powershell/ql/lib/semmle/code/powershell/IndexExpr.qll

@@ -1,4 +1,5 @@
 import powershell
+private import internal.ExplicitWrite
 
 class IndexExpr extends @index_expression, Expr {
   override string toString() { result = "...[...]" }
@@ -11,3 +12,19 @@ class IndexExpr extends @index_expression, Expr {
 
   predicate isNullConditional() { index_expression(this, _, _, true) }
 }
+
+private predicate isImplicitIndexWrite(Expr e) { none() }
+
+/** An index expression that is being written to. */
+class IndexExprWrite extends IndexExpr {
+  IndexExprWrite() { isExplicitWrite(this, _) or isImplicitIndexWrite(this) }
+
+  predicate isExplicit(AssignStmt assign) { isExplicitWrite(this, assign) }
+
+  predicate isImplicit() { isImplicitIndexWrite(this) }
+}
+
+/** An index expression that is being read from. */
+class IndexExprRead extends IndexExpr {
+  IndexExprRead() { not this instanceof IndexExprWrite }
+}

powershell/ql/lib/semmle/code/powershell/VariableExpression.qll

@@ -1,4 +1,5 @@
 import powershell
+private import internal.ExplicitWrite
 
 private predicate isParameterName(@variable_expression ve) { parameter(_, ve, _, _) }
 
@@ -34,24 +35,16 @@ class VarAccess extends @variable_expression, Expr {
   Variable getVariable() { result.getAnAccess() = this }
 }
 
-private predicate isExplicitVariableWriteAccess(Expr e, AssignStmt assign) {
-  e = assign.getLeftHandSide()
-  or
-  e = any(ConvertExpr convert | isExplicitVariableWriteAccess(convert, assign)).getExpr()
-  or
-  e = any(ArrayLiteral array | isExplicitVariableWriteAccess(array, assign)).getAnElement()
-}
-
 private predicate isImplicitVariableWriteAccess(Expr e) { none() }
 
 class VarReadAccess extends VarAccess {
   VarReadAccess() { not this instanceof VarWriteAccess }
 }
 
 class VarWriteAccess extends VarAccess {
-  VarWriteAccess() { isExplicitVariableWriteAccess(this, _) or isImplicitVariableWriteAccess(this) }
+  VarWriteAccess() { isExplicitWrite(this, _) or isImplicitVariableWriteAccess(this) }
 
-  predicate isExplicit(AssignStmt assign) { isExplicitVariableWriteAccess(this, assign) }
+  predicate isExplicit(AssignStmt assign) { isExplicitWrite(this, assign) }
 
   predicate isImplicit() { isImplicitVariableWriteAccess(this) }
 }

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -46,6 +46,8 @@ class ExprCfgNode extends AstCfgNode {
 
   /** Gets the underlying expression. */
   Expr getExpr() { result = e }
+
+  final ConstantValue getValue() { result = e.getValue() }
 }
 
 /** A control-flow node that wraps an AST statement. */
@@ -323,12 +325,55 @@ module ExprNodes {
   /** A control-flow node that wraps a `MemberExpr` expression that is being written to. */
   class MemberCfgWriteAccessNode extends MemberCfgNode {
     MemberCfgWriteAccessNode() { this.getExpr() instanceof MemberExprWriteAccess }
+
+    StmtNodes::AssignStmtCfgNode getAssignStmt() { result.getLeftHandSide() = this }
   }
 
   /** A control-flow node that wraps a `MemberExpr` expression that is being read from. */
   class MemberCfgReadAccessNode extends MemberCfgNode {
     MemberCfgReadAccessNode() { this.getExpr() instanceof MemberExprReadAccess }
   }
+
+  class ArrayLiteralChildMapping extends ExprChildMapping, ArrayLiteral {
+    override predicate relevantChild(Ast n) { n = this.getAnElement() }
+  }
+
+  class ArrayLiteralCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "ArrayLiteralCfgNode" }
+
+    override ArrayLiteralChildMapping e;
+
+    ExprCfgNode getElement(int i) { e.hasCfgChild(e.getElement(i), this, result) }
+
+    ExprCfgNode getAnElement() { e.hasCfgChild(e.getAnElement(), this, result) }
+  }
+
+  class IndexChildMapping extends ExprChildMapping, IndexExpr {
+    override predicate relevantChild(Ast n) { n = this.getBase() or n = this.getIndex() }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression. */
+  class IndexCfgNode extends ExprCfgNode {
+    override string getAPrimaryQlClass() { result = "IndexCfgNode" }
+
+    override IndexChildMapping e;
+
+    final ExprCfgNode getBase() { e.hasCfgChild(e.getBase(), this, result) }
+
+    final ExprCfgNode getIndex() { e.hasCfgChild(e.getIndex(), this, result) }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression that is being written to. */
+  class IndexCfgWriteNode extends IndexCfgNode {
+    IndexCfgWriteNode() { this.getExpr() instanceof IndexExprWrite }
+
+    StmtNodes::AssignStmtCfgNode getAssignStmt() { result.getLeftHandSide() = this }
+  }
+
+  /** A control-flow node that wraps a `MemberExpr` expression that is being read from. */
+  class IndexCfgReadNode extends IndexCfgNode {
+    IndexCfgReadNode() { this.getExpr() instanceof IndexExprRead }
+  }
 }
 
 module StmtNodes {