PS: Make use of static type information in dataflow dispatch.

MathiasVP · MathiasVP · commit 94220ec26b49 · 2024-11-06T13:41:03.000Z
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowDispatch.qll
@@ -134,6 +134,9 @@ private module TrackInstanceInput implements CallGraphConstruction::InputSig {
     or
     start.asExpr().(CfgNodes::ExprNodes::TypeNameCfgNode).getTypeName() = typename and
     exact = true
+    or
+    start.asParameter().getStaticType() = typename and
+    exact = false
   }
 
   newtype State = additional MkState(string typename, Boolean exact) { start0(_, typename, exact) }
@@ -174,12 +177,20 @@ Node trackInstance(string typename, boolean exact) {
         exact))
 }
 
+private Type getTypeWithName(string s, boolean exact) {
+  result.getName() = s and
+  exact = true
+  or
+  result.getASubtype+().getName() = s and
+  exact = false
+}
+
 private CfgScope getTargetInstance(CfgNodes::CallCfgNode call) {
   // TODO: Also match argument/parameter types
-  exists(Node receiver, string method, string typename, Type t |
+  exists(Node receiver, string method, string typename, Type t, boolean exact |
     qualifiedCall(call, receiver, method) and
-    receiver = trackInstance(typename, _) and
-    t.getName() = typename
+    receiver = trackInstance(typename, exact) and
+    t = getTypeWithName(typename, exact)
   |
     if method = "new"
     then result = t.getAConstructor().getBody()
