PS: Add a model for 'EscapeSingleQuotedStringContent' and add a test.

MathiasVP · MathiasVP · commit 8a58af8f8467 · 2025-04-04T15:48:19.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomation/model.yml b/powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomation/model.yml
@@ -1820,3 +1820,9 @@ extensions:
     - ["System.Collections.ObjectModel.ReadOnlyCollection<System.Management.Automation.PSTypeName>", "System.Management.Automation.FunctionInfo", "Property[OutputType]"]
     - ["System.Management.Automation.Language.ParseError[]", "System.Management.Automation.ParseException", "Property[Errors]"]
     - ["System.Management.Automation.DSCResourceRunAsCredential", "System.Management.Automation.DscResourceAttribute", "Property[RunAsCredential]"]
+
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: summaryModel
+    data:
+    - ["System.Management.Automation.Language.CodeGeneration!", "Method[escapesinglequotedstringcontent]", "Argument[0]", "ReturnValue", "taint"]
diff --git a/powershell/ql/test/library-tests/dataflow/local/taint.expected b/powershell/ql/test/library-tests/dataflow/local/taint.expected
@@ -1,3 +1,4 @@
+| file://:0:0:0:0 | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | file://:0:0:0:0 | [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] |
 | test.ps1:1:1:1:3 | a1 | test.ps1:2:6:2:8 | a1 |
 | test.ps1:1:1:24:22 | implicit unwrapping of {...} | test.ps1:1:1:24:22 | return value for {...} |
 | test.ps1:1:1:24:22 | pre-return value for {...} | test.ps1:1:1:24:22 | implicit unwrapping of {...} |
diff --git a/powershell/ql/test/library-tests/dataflow/mad/flow.expected b/powershell/ql/test/library-tests/dataflow/mad/flow.expected
@@ -0,0 +1,19 @@
+models
+edges
+| file://:0:0:0:0 | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | file://:0:0:0:0 | [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | provenance |  |
+| test.ps1:1:6:1:15 | Call to Source | test.ps1:2:94:2:95 | x | provenance |  |
+| test.ps1:2:6:2:96 | Call to EscapeSingleQuotedStringContent | test.ps1:3:6:3:7 | y | provenance |  |
+| test.ps1:2:94:2:95 | x | file://:0:0:0:0 | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | provenance |  |
+| test.ps1:2:94:2:95 | x | test.ps1:2:6:2:96 | Call to EscapeSingleQuotedStringContent | provenance |  |
+nodes
+| file://:0:0:0:0 | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | semmle.label | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] |
+| file://:0:0:0:0 | [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | semmle.label | [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] |
+| test.ps1:1:6:1:15 | Call to Source | semmle.label | Call to Source |
+| test.ps1:2:6:2:96 | Call to EscapeSingleQuotedStringContent | semmle.label | Call to EscapeSingleQuotedStringContent |
+| test.ps1:2:94:2:95 | x | semmle.label | x |
+| test.ps1:3:6:3:7 | y | semmle.label | y |
+subpaths
+| test.ps1:2:94:2:95 | x | file://:0:0:0:0 | [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | file://:0:0:0:0 | [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] | test.ps1:2:6:2:96 | Call to EscapeSingleQuotedStringContent |
+testFailures
+#select
+| test.ps1:3:6:3:7 | y | test.ps1:1:6:1:15 | Call to Source | test.ps1:3:6:3:7 | y | $@ | test.ps1:1:6:1:15 | Call to Source | Call to Source |
diff --git a/powershell/ql/test/library-tests/dataflow/mad/flow.ql b/powershell/ql/test/library-tests/dataflow/mad/flow.ql
@@ -0,0 +1,13 @@
+/**
+ * @kind path-problem
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+private import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import TaintFlow::PathGraph
+
+from TaintFlow::PathNode source, TaintFlow::PathNode sink
+where TaintFlow::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
diff --git a/powershell/ql/test/library-tests/dataflow/mad/test.ps1 b/powershell/ql/test/library-tests/dataflow/mad/test.ps1
@@ -0,0 +1,3 @@
+$x = Source "1"
+$y = [System.Management.Automation.Language.CodeGeneration]::EscapeSingleQuotedStringContent($x)
+Sink $y # $ hasTaintFlow=1

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+\| file://:0:0:0:0 \| [summary param] pos(0, {}) in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] \| file://:0:0:0:0 \| [summary] to write: ReturnValue in System.Management.Automation.Language.CodeGeneration!;Method[escapesinglequotedstringcontent] \|`
`1`	`2`	`\| test.ps1:1:1:1:3 \| a1 \| test.ps1:2:6:2:8 \| a1 \|`
`2`	`3`	`\| test.ps1:1:1:24:22 \| implicit unwrapping of {...} \| test.ps1:1:1:24:22 \| return value for {...} \|`
`3`	`4`	`\| test.ps1:1:1:24:22 \| pre-return value for {...} \| test.ps1:1:1:24:22 \| implicit unwrapping of {...} \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+$x = Source "1"`
	`2`	`+$y = [System.Management.Automation.Language.CodeGeneration]::EscapeSingleQuotedStringContent($x)`
	`3`	`+Sink $y # $ hasTaintFlow=1`