PS: Fix more pipeline flow.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/ast/internal/CallExpr.qll

@@ -28,6 +28,10 @@ class CallExpr extends Expr, TCallExpr {
   /** Gets the qualifier of this call, if any. */
   Expr getQualifier() { none() }
 
+  Expr getPipelineArgument() {
+    exists(Pipeline p, int i | this = p.getComponent(i + 1) and result = p.getComponent(i))
+  }
+
   final override string toString() { result = "Call to " + this.getName() }
 
   predicate isStatic() { none() }
@@ -52,3 +56,11 @@ class Qualifier extends Expr {
 
   CallExpr getCall() { result = call }
 }
+
+class PipelineArgument extends Expr {
+  CallExpr call;
+
+  PipelineArgument() { this = call.getPipelineArgument() }
+
+  CallExpr getCall() { result = call }
+}

powershell/ql/lib/semmle/code/powershell/ast/internal/ChildIndex.qll

@@ -36,14 +36,23 @@ newtype ChildIndex =
   // PipelineByPropertNameVar(Raw::PipelineByPropertyNameParameter p) or
   PipelineIteratorVar() or
   PipelineByPropertyNameIteratorVar(Raw::PipelineByPropertyNameParameter p) or
-  RealVar(string name) { name = variableNameInScope(_, _) }
+  RealVar(string name) { name = variableNameInScope(_, _) } or
+  ProcessBlockPipelineVarReadAccess()
 
 int synthPipelineParameterChildIndex(Raw::ScriptBlock sb) {
+  // If there is a parameter block, but no pipeline parameter
   exists(Raw::ParamBlock pb |
     pb = sb.getParamBlock() and
     not pb.getAParameter() instanceof Raw::PipelineParameter and
     result = pb.getNumParameters()
   )
+  or
+  // There is no parameter block
+  not exists(sb.getParamBlock()) and
+  exists(Raw::FunctionDefinitionStmt funDefStmt |
+    funDefStmt.getBody() = sb and
+    result = funDefStmt.getNumParameters()
+  )
 }
 
 string stringOfChildIndex(ChildIndex i) {
@@ -105,6 +114,9 @@ string stringOfChildIndex(ChildIndex i) {
   or
   i = FunctionBody() and
   result = "FunctionBody"
+  or
+  i = ProcessBlockPipelineVarReadAccess() and
+  result = "ProcessBlockPipelineVarReadAccess"
 }
 
 Raw::ChildIndex toRawChildIndex(ChildIndex i) { i = RawChildIndex(result) }
@@ -326,3 +338,5 @@ ChildIndex usingExprExpr() { result = RawChildIndex(Raw::UsingExprExpr()) }
 ChildIndex whileStmtCond() { result = RawChildIndex(Raw::WhileStmtCond()) }
 
 ChildIndex whileStmtBody() { result = RawChildIndex(Raw::WhileStmtBody()) }
+
+ChildIndex processBlockPipelineVarReadAccess() { result = ProcessBlockPipelineVarReadAccess() }

powershell/ql/lib/semmle/code/powershell/ast/internal/NamedBlock.qll

@@ -50,6 +50,14 @@ class ProcessBlock extends NamedBlock {
     result = this.getEnclosingFunction().getPipelineParameter()
   }
 
+  PipelineIteratorVariable getPipelineIteratorVariable() {
+    result = TVariableSynth(getRawAst(this), PipelineIteratorVar())
+  }
+
+  VarReadAccess getPipelineParameterAccess() {
+    synthChild(getRawAst(this), processBlockPipelineVarReadAccess(), result)
+  }
+
   PipelineByPropertyNameParameter getAPipelineByPropertyNameParameter() {
     result = scriptBlock.getEnclosingFunction().getAParameter()
   }

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/Function.qll

@@ -11,6 +11,8 @@ class FunctionDefinitionStmt extends @function_definition, Stmt {
 
   Parameter getAParameter() { result = this.getParameter(_) }
 
+  int getNumParameters() { result = count(this.getParameter(_)) }
+
   override Ast getChild(ChildIndex i) {
     i = FunDefStmtBody() and result = this.getBody()
     or

powershell/ql/lib/semmle/code/powershell/ast/internal/Synthesis.qll

@@ -728,6 +728,7 @@ private module IteratorAccessSynth {
     }
 
     private predicate stmt(Raw::Ast rawParent, ChildIndex i, Raw::CmdExpr cmdExpr, Child child) {
+      exists(this.varAccess(cmdExpr.getExpr())) and
       rawParent.getChild(toRawChildIndex(i)) = cmdExpr and
       not mustHaveExprChild(rawParent, cmdExpr) and
       child = SynthChild(ExprStmtKind())
@@ -805,3 +806,31 @@ private module IteratorAccessSynth {
     }
   }
 }
+
+private module PipelineAccess {
+  private class PipelineAccess extends Synthesis {
+    final override predicate child(Raw::Ast parent, ChildIndex i, Child child) {
+      exists(Raw::ProcessBlock pb | parent = pb |
+        i = processBlockPipelineVarReadAccess() and
+        exists(PipelineVariable pipelineVar |
+          pipelineVar = TVariableSynth(pb.getScriptBlock(), PipelineParamVar()) and
+          child = SynthChild(VarAccessSynthKind(pipelineVar))
+        )
+      )
+    }
+
+    final override Location getLocation(Ast n) {
+      exists(ProcessBlock pb |
+        pb.getPipelineParameterAccess() = n and
+        result = pb.getLocation()
+      )
+    }
+
+    final override predicate getAnAccess(VarAccessSynth va, Variable v) {
+      exists(ProcessBlock pb |
+        pb.getPipelineParameterAccess() = va and
+        v = pb.getPipelineParameter()
+      )
+    }
+  }
+}

powershell/ql/lib/semmle/code/powershell/ast/internal/Variable.qll

@@ -100,7 +100,7 @@ module Private {
 
     final override Variable getVariableImpl() { access(va, result) }
 
-    final override string toString() { result = "access to " + va.getUserPath() }
+    final override string toString() { result = va.getUserPath() }
   }
 
   class VarAccessSynth extends VarAccessImpl, TVarAccessSynth {
@@ -111,7 +111,7 @@ module Private {
 
     final override Variable getVariableImpl() { any(Synthesis s).getAnAccess(this, result) }
 
-    final override string toString() { result = "access to " + this.getVariableImpl().getName() }
+    final override string toString() { result = this.getVariableImpl().getName() }
 
     final override Location getLocation() { result = parent.getLocation() }
   }

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -272,7 +272,13 @@ class NamedBlockCfgNode extends AstCfgNode {
   StmtNodes::TrapStmtCfgNode getATrapStmt() { result = this.getTrapStmt(_) }
 }
 
-private class ProcessBlockChildMapping extends NamedBlockChildMapping, ProcessBlock { }
+private class ProcessBlockChildMapping extends NamedBlockChildMapping, ProcessBlock {
+  override predicate relevantChild(Ast child) {
+    super.relevantChild(child)
+    or
+    child = super.getPipelineParameterAccess()
+  }
+}
 
 class ProcessBlockCfgNode extends NamedBlockCfgNode {
   override string getAPrimaryQlClass() { result = "ProcessBlockCfgNode" }
@@ -287,6 +293,10 @@ class ProcessBlockCfgNode extends NamedBlockCfgNode {
     result.getScriptBlock() = this.getScriptBlock().getAstNode()
   }
 
+  ExprNodes::VarReadAccessCfgNode getPipelineVariableAccess() {
+    block.hasCfgChild(block.getPipelineParameterAccess(), this, result)
+  }
+
   PipelineIteratorVariable getPipelineIteratorVariable() {
     result.getProcessBlock().getScriptBlock() = this.getScriptBlock().getAstNode()
   }
@@ -528,6 +538,13 @@ module ExprNodes {
 
     ExprCfgNode getCallee() { e.hasCfgChild(e.getCallee(), this, result) }
 
+    ExprCfgNode getPipelineArgument() {
+      exists(ExprNodes::PipelineCfgNode pipeline, int i |
+        pipeline.getComponent(i + 1) = this and
+        result = pipeline.getComponent(i)
+      )
+    }
+
     predicate isStatic() { this.getExpr().isStatic() }
   }
 
@@ -992,6 +1009,12 @@ module ExprNodes {
     CallExprCfgNode getCall() { result.getQualifier() = this }
   }
 
+  class PipelineArgumentCfgNode extends ExprCfgNode {
+    override PipelineArgument e;
+
+    CallExprCfgNode getCall() { result.getPipelineArgument() = this }
+  }
+
   private class EnvVariableChildMapping extends ExprChildMapping, EnvVariable {
     override predicate relevantChild(Ast child) { none() }
   }

powershell/ql/lib/semmle/code/powershell/controlflow/internal/ControlFlowGraphImpl.qll

@@ -193,21 +193,21 @@ module Trees {
       or
       exists(int i |
         last(super.getParameter(i), pred, c) and
-        completionIsNormal(c) and
+        completionIsNormal(c)
+      |
         first(super.getParameter(i + 1), succ)
-      )
-      or
-      last(super.getParameter(super.getNumberOfParameters() - 1), pred, c) and
-      completionIsNormal(c) and
-      (
-        first(super.getBeginBlock(), succ)
-        or
-        not exists(super.getBeginBlock()) and
-        first(super.getProcessBlock(), succ)
         or
-        not exists(super.getBeginBlock()) and
-        not exists(super.getProcessBlock()) and
-        first(super.getEndBlock(), succ)
+        not exists(super.getParameter(i + 1)) and
+        (
+          first(super.getBeginBlock(), succ)
+          or
+          not exists(super.getBeginBlock()) and
+          first(super.getProcessBlock(), succ)
+          or
+          not exists(super.getBeginBlock()) and
+          not exists(super.getProcessBlock()) and
+          first(super.getEndBlock(), succ)
+        )
       )
       or
       last(super.getBeginBlock(), pred, c) and
@@ -292,9 +292,55 @@ module Trees {
     final override predicate succEntry(Ast n, Completion c) { n = this and completionIsSimple(c) }
   }
 
-  class NamedBlockTree extends StandardPreOrderTree instanceof NamedBlock {
-    // TODO: Handle trap
-    override AstNode getChildNode(int i) { result = super.getStmt(i) }
+  abstract class NamedBlockTreeBase extends ControlFlowTree instanceof NamedBlock {
+    final override predicate last(Ast last, Completion c) {
+      exists(int i | last(super.getStmt(i), last, c) |
+        completionIsNormal(c) and
+        not exists(super.getStmt(i + 1))
+        or
+        not completionIsNormal(c)
+      )
+      or
+      not exists(super.getAStmt()) and
+      completionIsSimple(c) and
+      last = this
+    }
+
+    override predicate succ(Ast pred, Ast succ, Completion c) {
+      pred = this and
+      completionIsSimple(c) and
+      first(super.getStmt(0), succ)
+      or
+      exists(int i |
+        last(super.getStmt(i), pred, c) and
+        completionIsNormal(c) and
+        first(super.getStmt(i + 1), succ)
+      )
+    }
+
+    override predicate propagatesAbnormal(Ast child) { child = super.getAStmt() }
+  }
+
+  class NamedBlockTree extends NamedBlockTreeBase instanceof NamedBlock {
+    NamedBlockTree() { not this instanceof ProcessBlock }
+
+    final override predicate first(Ast first) { first = this }
+
+    final override predicate propagatesAbnormal(Ast child) { super.propagatesAbnormal(child) }
+  }
+
+  class ProcessBlockTree extends NamedBlockTreeBase instanceof ProcessBlock {
+    final override predicate first(Ast first) { first = super.getPipelineParameterAccess() }
+
+    final override predicate succ(Ast pred, Ast succ, Completion c) {
+      this.first(pred) and
+      completionIsSimple(c) and
+      succ = this
+      or
+      super.succ(pred, succ, c)
+    }
+
+    final override predicate propagatesAbnormal(Ast child) { super.propagatesAbnormal(child) }
   }
 
   class AssignStmtTree extends StandardPreOrderTree instanceof AssignStmt {