Merge pull request #181 from microsoft/powershell-ast-modernization-follow-up

PS: Fix more taint-tracking/dataflow regressions

Author: chanel-y

powershell/ql/lib/semmle/code/powershell/ast/internal/CallExpr.qll

@@ -28,6 +28,10 @@ class CallExpr extends Expr, TCallExpr {
   /** Gets the qualifier of this call, if any. */
   Expr getQualifier() { none() }
 
+  Expr getPipelineArgument() {
+    exists(Pipeline p, int i | this = p.getComponent(i + 1) and result = p.getComponent(i))
+  }
+
   final override string toString() { result = "Call to " + this.getName() }
 
   predicate isStatic() { none() }
@@ -52,3 +56,11 @@ class Qualifier extends Expr {
 
   CallExpr getCall() { result = call }
 }
+
+class PipelineArgument extends Expr {
+  CallExpr call;
+
+  PipelineArgument() { this = call.getPipelineArgument() }
+
+  CallExpr getCall() { result = call }
+}

powershell/ql/lib/semmle/code/powershell/ast/internal/ChildIndex.qll

@@ -36,14 +36,87 @@ newtype ChildIndex =
   // PipelineByPropertNameVar(Raw::PipelineByPropertyNameParameter p) or
   PipelineIteratorVar() or
   PipelineByPropertyNameIteratorVar(Raw::PipelineByPropertyNameParameter p) or
-  RealVar(string name) { name = variableNameInScope(_, _) }
+  RealVar(string name) { name = variableNameInScope(_, _) } or
+  ProcessBlockPipelineVarReadAccess()
 
 int synthPipelineParameterChildIndex(Raw::ScriptBlock sb) {
+  // If there is a parameter block, but no pipeline parameter
   exists(Raw::ParamBlock pb |
     pb = sb.getParamBlock() and
     not pb.getAParameter() instanceof Raw::PipelineParameter and
     result = pb.getNumParameters()
   )
+  or
+  // There is no parameter block
+  not exists(sb.getParamBlock()) and
+  exists(Raw::FunctionDefinitionStmt funDefStmt |
+    funDefStmt.getBody() = sb and
+    result = funDefStmt.getNumParameters()
+  )
+}
+
+string stringOfChildIndex(ChildIndex i) {
+  exists(Raw::ChildIndex rawIndex |
+    i = RawChildIndex(rawIndex) and
+    result = Raw::stringOfChildIndex(rawIndex)
+  )
+  or
+  i = ParamPipeline() and
+  result = "ParamPipeline"
+  or
+  i = ParamDefaultVal() and
+  result = "ParamDefaultVal"
+  or
+  i = FunParam(_) and
+  result = "FunParam"
+  or
+  i = CmdArgument(_) and
+  result = "CmdArgument"
+  or
+  i = ExprStmtExpr() and
+  result = "ExprStmtExpr"
+  or
+  i = MethodBody() and
+  result = "MethodBody"
+  or
+  i = ThisVar() and
+  result = "ThisVar"
+  or
+  i = PipelineParamVar() and
+  result = "PipelineParamVar"
+  or
+  i = PipelineIteratorVar() and
+  result = "PipelineIteratorVar"
+  or
+  i = PipelineByPropertyNameIteratorVar(_) and
+  result = "PipelineByPropertyNameIteratorVar"
+  or
+  i = RealVar(_) and
+  result = "RealVar"
+  or
+  i = ExprRedirection(_) and
+  result = "ExprRedirection"
+  or
+  i = FunDefFun() and
+  result = "FunDefFun"
+  or
+  i = TypeDefType() and
+  result = "TypeDefType"
+  or
+  i = TypeMember(_) and
+  result = "TypeMember"
+  or
+  i = ScriptBlockAttr(_) and
+  result = "ScriptBlockAttr"
+  or
+  i = ParamAttr(_) and
+  result = "ParamAttr"
+  or
+  i = FunctionBody() and
+  result = "FunctionBody"
+  or
+  i = ProcessBlockPipelineVarReadAccess() and
+  result = "ProcessBlockPipelineVarReadAccess"
 }
 
 Raw::ChildIndex toRawChildIndex(ChildIndex i) { i = RawChildIndex(result) }
@@ -265,3 +338,5 @@ ChildIndex usingExprExpr() { result = RawChildIndex(Raw::UsingExprExpr()) }
 ChildIndex whileStmtCond() { result = RawChildIndex(Raw::WhileStmtCond()) }
 
 ChildIndex whileStmtBody() { result = RawChildIndex(Raw::WhileStmtBody()) }
+
+ChildIndex processBlockPipelineVarReadAccess() { result = ProcessBlockPipelineVarReadAccess() }

powershell/ql/lib/semmle/code/powershell/ast/internal/NamedBlock.qll

@@ -50,6 +50,14 @@ class ProcessBlock extends NamedBlock {
     result = this.getEnclosingFunction().getPipelineParameter()
   }
 
+  PipelineIteratorVariable getPipelineIteratorVariable() {
+    result = TVariableSynth(getRawAst(this), PipelineIteratorVar())
+  }
+
+  VarReadAccess getPipelineParameterAccess() {
+    synthChild(getRawAst(this), processBlockPipelineVarReadAccess(), result)
+  }
+
   PipelineByPropertyNameParameter getAPipelineByPropertyNameParameter() {
     result = scriptBlock.getEnclosingFunction().getAParameter()
   }

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/ChildIndex.qll

@@ -99,3 +99,201 @@ newtype ChildIndex =
   UsingExprExpr() or
   WhileStmtCond() or
   WhileStmtBody()
+
+string stringOfChildIndex(ChildIndex i) {
+  i = ArrayExprStmtBlock() and result = "ArrayExprStmtBlock"
+  or
+  i = ArrayLiteralExpr(_) and result = "ArrayLiteralExpr"
+  or
+  i = AssignStmtLeftHandSide() and result = "AssignStmtLeftHandSide"
+  or
+  i = AssignStmtRightHandSide() and result = "AssignStmtRightHandSide"
+  or
+  i = AttributeNamedArg(_) and result = "AttributeNamedArg"
+  or
+  i = AttributePosArg(_) and result = "AttributePosArg"
+  or
+  i = AttributedExprExpr() and result = "AttributedExprExpr"
+  or
+  i = AttributedExprAttr() and result = "AttributedExprAttr"
+  or
+  i = BinaryExprLeft() and result = "BinaryExprLeft"
+  or
+  i = BinaryExprRight() and result = "BinaryExprRight"
+  or
+  i = CatchClauseBody() and result = "CatchClauseBody"
+  or
+  i = CatchClauseType(_) and result = "CatchClauseType"
+  or
+  i = CmdElement_(_) and result = "CmdElement"
+  or
+  i = CmdCallee() and result = "CmdCallee"
+  or
+  i = CmdRedirection(_) and result = "CmdRedirection"
+  or
+  i = CmdExprExpr() and result = "CmdExprExpr"
+  or
+  i = ConfigurationName() and result = "ConfigurationName"
+  or
+  i = ConfigurationBody() and result = "ConfigurationBody"
+  or
+  i = ConvertExprExpr() and result = "ConvertExprExpr"
+  or
+  i = ConvertExprType() and result = "ConvertExprType"
+  or
+  i = ConvertExprAttr() and result = "ConvertExprAttr"
+  or
+  i = DataStmtBody() and result = "DataStmtBody"
+  or
+  i = DataStmtCmdAllowed(_) and result = "DataStmtCmdAllowed"
+  or
+  i = DoUntilStmtCond() and result = "DoUntilStmtCond"
+  or
+  i = DoUntilStmtBody() and result = "DoUntilStmtBody"
+  or
+  i = DoWhileStmtCond() and result = "DoWhileStmtCond"
+  or
+  i = DoWhileStmtBody() and result = "DoWhileStmtBody"
+  or
+  i = DynamicStmtName() and result = "DynamicStmtName"
+  or
+  i = DynamicStmtBody() and result = "DynamicStmtBody"
+  or
+  i = ExitStmtPipeline() and result = "ExitStmtPipeline"
+  or
+  i = ExpandableStringExprExpr(_) and result = "ExpandableStringExprExpr"
+  or
+  i = ForEachStmtVar() and result = "ForEachStmtVar"
+  or
+  i = ForEachStmtIter() and result = "ForEachStmtIter"
+  or
+  i = ForEachStmtBody() and result = "ForEachStmtBody"
+  or
+  i = ForStmtInit() and result = "ForStmtInit"
+  or
+  i = ForStmtCond() and result = "ForStmtCond"
+  or
+  i = ForStmtIter() and result = "ForStmtIter"
+  or
+  i = ForStmtBody() and result = "ForStmtBody"
+  or
+  i = FunDefStmtBody() and result = "FunDefStmtBody"
+  or
+  i = FunDefStmtParam(_) and result = "FunDefStmtParam"
+  or
+  i = GotoStmtLabel() and result = "GotoStmtLabel"
+  or
+  i = HashTableExprKey(_) and result = "HashTableExprKey"
+  or
+  i = HashTableExprStmt(_) and result = "HashTableExprStmt"
+  or
+  i = IfStmtElse() and result = "IfStmtElse"
+  or
+  i = IfStmtCond(_) and result = "IfStmtCond"
+  or
+  i = IfStmtThen(_) and result = "IfStmtThen"
+  or
+  i = IndexExprIndex() and result = "IndexExprIndex"
+  or
+  i = IndexExprBase() and result = "IndexExprBase"
+  or
+  i = InvokeMemberExprQual() and result = "InvokeMemberExprQual"
+  or
+  i = InvokeMemberExprCallee() and result = "InvokeMemberExprCallee"
+  or
+  i = InvokeMemberExprArg(_) and result = "InvokeMemberExprArg"
+  or
+  i = MemberExprQual() and result = "MemberExprQual"
+  or
+  i = MemberExprMember() and result = "MemberExprMember"
+  or
+  i = NamedAttributeArgVal() and result = "NamedAttributeArgVal"
+  or
+  i = MemberAttr(_) and result = "MemberAttr"
+  or
+  i = MemberTypeConstraint() and result = "MemberTypeConstraint"
+  or
+  i = NamedBlockStmt(_) and result = "NamedBlockStmt"
+  or
+  i = NamedBlockTrap(_) and result = "NamedBlockTrap"
+  or
+  i = ParamBlockAttr(_) and result = "ParamBlockAttr"
+  or
+  i = ParamBlockParam(_) and result = "ParamBlockParam"
+  or
+  i = ParamAttr(_) and result = "ParamAttr"
+  or
+  i = ParamDefaultVal() and result = "ParamDefaultVal"
+  or
+  i = ParenExprExpr() and result = "ParenExprExpr"
+  or
+  i = PipelineComp(_) and result = "PipelineComp"
+  or
+  i = PipelineChainLeft() and result = "PipelineChainLeft"
+  or
+  i = PipelineChainRight() and result = "PipelineChainRight"
+  or
+  i = ReturnStmtPipeline() and result = "ReturnStmtPipeline"
+  or
+  i = RedirectionExpr() and result = "RedirectionExpr"
+  or
+  i = ScriptBlockUsing(_) and result = "ScriptBlockUsing"
+  or
+  i = ScriptBlockParamBlock() and result = "ScriptBlockParamBlock"
+  or
+  i = ScriptBlockBeginBlock() and result = "ScriptBlockBeginBlock"
+  or
+  i = ScriptBlockCleanBlock() and result = "ScriptBlockCleanBlock"
+  or
+  i = ScriptBlockDynParamBlock() and result = "ScriptBlockDynParamBlock"
+  or
+  i = ScriptBlockEndBlock() and result = "ScriptBlockEndBlock"
+  or
+  i = ScriptBlockProcessBlock() and result = "ScriptBlockProcessBlock"
+  or
+  i = ScriptBlockExprBody() and result = "ScriptBlockExprBody"
+  or
+  i = StmtBlockStmt(_) and result = "StmtBlockStmt"
+  or
+  i = StmtBlockTrapStmt(_) and result = "StmtBlockTrapStmt"
+  or
+  i = ExpandableSubExprExpr() and result = "ExpandableSubExprExpr"
+  or
+  i = SwitchStmtCond() and result = "SwitchStmtCond"
+  or
+  i = SwitchStmtDefault() and result = "SwitchStmtDefault"
+  or
+  i = SwitchStmtCase(_) and result = "SwitchStmtCase"
+  or
+  i = SwitchStmtPat(_) and result = "SwitchStmtPat"
+  or
+  i = CondExprCond() and result = "CondExprCond"
+  or
+  i = CondExprTrue() and result = "CondExprTrue"
+  or
+  i = CondExprFalse() and result = "CondExprFalse"
+  or
+  i = ThrowStmtPipeline() and result = "ThrowStmtPipeline"
+  or
+  i = TryStmtBody() and result = "TryStmtBody"
+  or
+  i = TryStmtCatchClause(_) and result = "TryStmtCatchClause"
+  or
+  i = TryStmtFinally() and result = "TryStmtFinally"
+  or
+  i = TypeStmtMember(_) and result = "TypeStmtMember"
+  or
+  i = TypeStmtBaseType(_) and result = "TypeStmtBaseType"
+  or
+  i = TrapStmtBody() and result = "TrapStmtBody"
+  or
+  i = TrapStmtTypeConstraint() and result = "TrapStmtTypeConstraint"
+  or
+  i = UnaryExprOp() and result = "UnaryExprOp"
+  or
+  i = UsingExprExpr() and result = "UsingExprExpr"
+  or
+  i = WhileStmtCond() and result = "WhileStmtCond"
+  or
+  i = WhileStmtBody() and result = "WhileStmtBody"
+}

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/Function.qll

@@ -11,6 +11,8 @@ class FunctionDefinitionStmt extends @function_definition, Stmt {
 
   Parameter getAParameter() { result = this.getParameter(_) }
 
+  int getNumParameters() { result = count(this.getParameter(_)) }
+
   override Ast getChild(ChildIndex i) {
     i = FunDefStmtBody() and result = this.getBody()
     or

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/Parameter.qll

@@ -35,7 +35,7 @@ class PipelineParameter extends Parameter {
       this.getAnAttribute().(Attribute).getANamedArgument() = namedAttribute and
       namedAttribute.getName().toLowerCase() = "valuefrompipeline"
     |
-      namedAttribute.getValue().(ConstExpr).getValue().getValue() = "true"
+      namedAttribute.getValue().(ConstExpr).getValue().getValue().toLowerCase() = "true"
       or
       not exists(namedAttribute.getValue().(ConstExpr).getValue().getValue())
     )
@@ -50,7 +50,7 @@ class PipelineByPropertyNameParameter extends Parameter {
       this.getAnAttribute().(Attribute).getANamedArgument() = namedAttribute and
       namedAttribute.getName().toLowerCase() = "valuefrompipelinebypropertyname"
     |
-      namedAttribute.getValue().(ConstExpr).getValue().getValue() = "true"
+      namedAttribute.getValue().(ConstExpr).getValue().getValue().toLowerCase() = "true"
       or
       not exists(namedAttribute.getValue().(ConstExpr).getValue().getValue())
     )

powershell/ql/lib/semmle/code/powershell/ast/internal/Raw/VariableExpression.qll

@@ -24,6 +24,10 @@ class VarAccess extends @variable_expression, Expr {
   boolean isVariable() { variable_expression(this, _, _, _, _, _, _, _, _, _, result, _) }
 
   boolean isDriveQualified() { variable_expression(this, _, _, _, _, _, _, _, _, _, _, result) }
+
+  predicate isReadAccess() { not this.isWriteAccess() }
+
+  predicate isWriteAccess() { any(AssignStmt assign).getLeftHandSide() = this }
 }
 
 class ThisAccess extends VarAccess {