Merge pull request #263 from microsoft/remove-env-reads-from-sql-injection

PS: Remove environment variables from `powershell/microsoft/public/sql-injection`

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -428,7 +428,11 @@ predicate nodeIsHidden(Node n) { n.(NodeImpl).nodeIsHidden() }
  * Holds if `n` should never be skipped over in the `PathGraph` and in path
  * explanations.
  */
-predicate neverSkipInPathGraph(Node n) { isReturned(n.(AstNode).getCfgNode()) }
+predicate neverSkipInPathGraph(Node n) {
+  isReturned(n.(AstNode).getCfgNode())
+  or
+  n = any(SsaDefinitionNodeImpl def | not def.nodeIsHidden())
+}
 
 /** An SSA node. */
 class SsaNode extends NodeImpl, TSsaNode {
@@ -439,9 +443,6 @@ class SsaNode extends NodeImpl, TSsaNode {
   /** Gets the underlying variable. */
   Variable getVariable() { result = node.getSourceVariable() }
 
-  /** Holds if this node should be hidden from path explanations. */
-  predicate isHidden() { any() }
-
   override CfgScope getCfgScope() { result = node.getBasicBlock().getScope() }
 
   override Location getLocationImpl() { result = node.getLocation() }
@@ -454,7 +455,7 @@ class SsaDefinitionNodeImpl extends SsaNode {
 
   Ssa::Definition getDefinition() { result = node.getDefinition() }
 
-  override predicate isHidden() {
+  override predicate nodeIsHidden() {
     exists(SsaImpl::Definition def | def = this.getDefinition() |
       not def instanceof Ssa::WriteDefinition
       or

powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll

@@ -38,8 +38,13 @@ module SqlInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of user input, considered as a flow source for command injection. */
-  class FlowSourceAsSource extends Source instanceof SourceNode {
-    override string getSourceType() { result = SourceNode.super.getSourceType() }
+  class FlowSourceAsSource extends Source {
+    FlowSourceAsSource() {
+      this instanceof SourceNode and
+      not this instanceof EnvironmentVariableSource
+    }
+
+    override string getSourceType() { result = this.(SourceNode).getSourceType() }
   }
 
   class InvokeSqlCmdSink extends Sink {

powershell/ql/test/library-tests/dataflow/fields/test.expected

@@ -33,15 +33,19 @@ edges
 | test.ps1:32:6:32:13 | ...[...] [unknown] | test.ps1:32:6:32:16 | ...[...] | provenance |  |
 | test.ps1:33:6:33:10 | arr7 [unknown, unknown] | test.ps1:33:6:33:21 | ...[...] [unknown] | provenance |  |
 | test.ps1:33:6:33:21 | ...[...] [unknown] | test.ps1:33:6:33:32 | ...[...] | provenance |  |
-| test.ps1:35:6:35:16 | Call to source | test.ps1:37:15:37:16 | x | provenance |  |
-| test.ps1:37:9:37:16 | ...,... [element 2] | test.ps1:40:6:40:10 | arr8 [element 2] | provenance |  |
-| test.ps1:37:9:37:16 | ...,... [element 2] | test.ps1:41:6:41:10 | arr8 [element 2] | provenance |  |
+| test.ps1:35:1:35:2 | x | test.ps1:37:15:37:16 | x | provenance |  |
+| test.ps1:35:6:35:16 | Call to source | test.ps1:35:1:35:2 | x | provenance |  |
+| test.ps1:37:1:37:5 | arr8 [element 2] | test.ps1:40:6:40:10 | arr8 [element 2] | provenance |  |
+| test.ps1:37:1:37:5 | arr8 [element 2] | test.ps1:41:6:41:10 | arr8 [element 2] | provenance |  |
+| test.ps1:37:9:37:16 | ...,... [element 2] | test.ps1:37:1:37:5 | arr8 [element 2] | provenance |  |
 | test.ps1:37:15:37:16 | x | test.ps1:37:9:37:16 | ...,... [element 2] | provenance |  |
 | test.ps1:40:6:40:10 | arr8 [element 2] | test.ps1:40:6:40:13 | ...[...] | provenance |  |
 | test.ps1:41:6:41:10 | arr8 [element 2] | test.ps1:41:6:41:20 | ...[...] | provenance |  |
-| test.ps1:43:6:43:16 | Call to source | test.ps1:45:17:45:18 | y | provenance |  |
-| test.ps1:45:9:45:19 | @(...) [element 2] | test.ps1:48:6:48:10 | arr9 [element 2] | provenance |  |
-| test.ps1:45:9:45:19 | @(...) [element 2] | test.ps1:49:6:49:10 | arr9 [element 2] | provenance |  |
+| test.ps1:43:1:43:2 | y | test.ps1:45:17:45:18 | y | provenance |  |
+| test.ps1:43:6:43:16 | Call to source | test.ps1:43:1:43:2 | y | provenance |  |
+| test.ps1:45:1:45:5 | arr9 [element 2] | test.ps1:48:6:48:10 | arr9 [element 2] | provenance |  |
+| test.ps1:45:1:45:5 | arr9 [element 2] | test.ps1:49:6:49:10 | arr9 [element 2] | provenance |  |
+| test.ps1:45:9:45:19 | @(...) [element 2] | test.ps1:45:1:45:5 | arr9 [element 2] | provenance |  |
 | test.ps1:45:17:45:18 | y | test.ps1:45:9:45:19 | @(...) [element 2] | provenance |  |
 | test.ps1:48:6:48:10 | arr9 [element 2] | test.ps1:48:6:48:13 | ...[...] | provenance |  |
 | test.ps1:49:6:49:10 | arr9 [element 2] | test.ps1:49:6:49:20 | ...[...] | provenance |  |
@@ -50,20 +54,29 @@ edges
 | test.ps1:61:1:61:8 | [post] myClass [field] | test.ps1:63:1:63:8 | myClass [field] | provenance |  |
 | test.ps1:61:18:61:28 | Call to source | test.ps1:61:1:61:8 | [post] myClass [field] | provenance |  |
 | test.ps1:63:1:63:8 | myClass [field] | test.ps1:54:5:56:5 | this [field] | provenance |  |
-| test.ps1:66:10:66:20 | Call to source | test.ps1:69:5:69:6 | x | provenance |  |
-| test.ps1:67:10:67:20 | Call to source | test.ps1:70:5:70:6 | y | provenance |  |
-| test.ps1:68:10:68:20 | Call to source | test.ps1:70:9:70:10 | z | provenance |  |
+| test.ps1:66:5:66:6 | x | test.ps1:69:5:69:6 | x | provenance |  |
+| test.ps1:66:5:66:6 | x | test.ps1:69:5:69:6 | x | provenance |  |
+| test.ps1:66:10:66:20 | Call to source | test.ps1:66:5:66:6 | x | provenance |  |
+| test.ps1:66:10:66:20 | Call to source | test.ps1:66:5:66:6 | x | provenance |  |
+| test.ps1:67:5:67:6 | y | test.ps1:70:5:70:6 | y | provenance |  |
+| test.ps1:67:5:67:6 | y | test.ps1:70:5:70:6 | y | provenance |  |
+| test.ps1:67:10:67:20 | Call to source | test.ps1:67:5:67:6 | y | provenance |  |
+| test.ps1:67:10:67:20 | Call to source | test.ps1:67:5:67:6 | y | provenance |  |
+| test.ps1:68:5:68:6 | z | test.ps1:70:9:70:10 | z | provenance |  |
+| test.ps1:68:10:68:20 | Call to source | test.ps1:68:5:68:6 | z | provenance |  |
 | test.ps1:69:5:69:6 | x | test.ps1:73:6:73:12 | Call to produce [unknown index] | provenance |  |
 | test.ps1:70:5:70:6 | y | test.ps1:73:6:73:12 | Call to produce [unknown index] | provenance |  |
 | test.ps1:70:9:70:10 | z | test.ps1:73:6:73:12 | Call to produce [unknown index] | provenance |  |
-| test.ps1:73:6:73:12 | Call to produce [unknown index] | test.ps1:74:6:74:7 | x [unknown index] | provenance |  |
-| test.ps1:73:6:73:12 | Call to produce [unknown index] | test.ps1:75:6:75:7 | x [unknown index] | provenance |  |
-| test.ps1:73:6:73:12 | Call to produce [unknown index] | test.ps1:76:6:76:7 | x [unknown index] | provenance |  |
+| test.ps1:73:1:73:2 | x [unknown index] | test.ps1:74:6:74:7 | x [unknown index] | provenance |  |
+| test.ps1:73:1:73:2 | x [unknown index] | test.ps1:75:6:75:7 | x [unknown index] | provenance |  |
+| test.ps1:73:1:73:2 | x [unknown index] | test.ps1:76:6:76:7 | x [unknown index] | provenance |  |
+| test.ps1:73:6:73:12 | Call to produce [unknown index] | test.ps1:73:1:73:2 | x [unknown index] | provenance |  |
 | test.ps1:74:6:74:7 | x [unknown index] | test.ps1:74:6:74:10 | ...[...] | provenance |  |
 | test.ps1:75:6:75:7 | x [unknown index] | test.ps1:75:6:75:10 | ...[...] | provenance |  |
 | test.ps1:76:6:76:7 | x [unknown index] | test.ps1:76:6:76:10 | ...[...] | provenance |  |
-| test.ps1:78:9:81:1 | ${...} [element a] | test.ps1:83:6:83:10 | hash [element a] | provenance |  |
-| test.ps1:78:9:81:1 | ${...} [element a] | test.ps1:87:6:87:10 | hash [element a] | provenance |  |
+| test.ps1:78:1:78:5 | hash [element a] | test.ps1:83:6:83:10 | hash [element a] | provenance |  |
+| test.ps1:78:1:78:5 | hash [element a] | test.ps1:87:6:87:10 | hash [element a] | provenance |  |
+| test.ps1:78:9:81:1 | ${...} [element a] | test.ps1:78:1:78:5 | hash [element a] | provenance |  |
 | test.ps1:79:7:79:17 | Call to source | test.ps1:78:9:81:1 | ${...} [element a] | provenance |  |
 | test.ps1:83:6:83:10 | hash [element a] | test.ps1:83:6:83:15 | ...[...] | provenance |  |
 | test.ps1:87:6:87:10 | hash [element a] | test.ps1:87:6:87:15 | ...[...] | provenance |  |
@@ -112,14 +125,18 @@ nodes
 | test.ps1:33:6:33:10 | arr7 [unknown, unknown] | semmle.label | arr7 [unknown, unknown] |
 | test.ps1:33:6:33:21 | ...[...] [unknown] | semmle.label | ...[...] [unknown] |
 | test.ps1:33:6:33:32 | ...[...] | semmle.label | ...[...] |
+| test.ps1:35:1:35:2 | x | semmle.label | x |
 | test.ps1:35:6:35:16 | Call to source | semmle.label | Call to source |
+| test.ps1:37:1:37:5 | arr8 [element 2] | semmle.label | arr8 [element 2] |
 | test.ps1:37:9:37:16 | ...,... [element 2] | semmle.label | ...,... [element 2] |
 | test.ps1:37:15:37:16 | x | semmle.label | x |
 | test.ps1:40:6:40:10 | arr8 [element 2] | semmle.label | arr8 [element 2] |
 | test.ps1:40:6:40:13 | ...[...] | semmle.label | ...[...] |
 | test.ps1:41:6:41:10 | arr8 [element 2] | semmle.label | arr8 [element 2] |
 | test.ps1:41:6:41:20 | ...[...] | semmle.label | ...[...] |
+| test.ps1:43:1:43:2 | y | semmle.label | y |
 | test.ps1:43:6:43:16 | Call to source | semmle.label | Call to source |
+| test.ps1:45:1:45:5 | arr9 [element 2] | semmle.label | arr9 [element 2] |
 | test.ps1:45:9:45:19 | @(...) [element 2] | semmle.label | @(...) [element 2] |
 | test.ps1:45:17:45:18 | y | semmle.label | y |
 | test.ps1:48:6:48:10 | arr9 [element 2] | semmle.label | arr9 [element 2] |
@@ -132,19 +149,26 @@ nodes
 | test.ps1:61:1:61:8 | [post] myClass [field] | semmle.label | [post] myClass [field] |
 | test.ps1:61:18:61:28 | Call to source | semmle.label | Call to source |
 | test.ps1:63:1:63:8 | myClass [field] | semmle.label | myClass [field] |
+| test.ps1:66:5:66:6 | x | semmle.label | x |
+| test.ps1:66:5:66:6 | x | semmle.label | x |
 | test.ps1:66:10:66:20 | Call to source | semmle.label | Call to source |
+| test.ps1:67:5:67:6 | y | semmle.label | y |
+| test.ps1:67:5:67:6 | y | semmle.label | y |
 | test.ps1:67:10:67:20 | Call to source | semmle.label | Call to source |
+| test.ps1:68:5:68:6 | z | semmle.label | z |
 | test.ps1:68:10:68:20 | Call to source | semmle.label | Call to source |
 | test.ps1:69:5:69:6 | x | semmle.label | x |
 | test.ps1:70:5:70:6 | y | semmle.label | y |
 | test.ps1:70:9:70:10 | z | semmle.label | z |
+| test.ps1:73:1:73:2 | x [unknown index] | semmle.label | x [unknown index] |
 | test.ps1:73:6:73:12 | Call to produce [unknown index] | semmle.label | Call to produce [unknown index] |
 | test.ps1:74:6:74:7 | x [unknown index] | semmle.label | x [unknown index] |
 | test.ps1:74:6:74:10 | ...[...] | semmle.label | ...[...] |
 | test.ps1:75:6:75:7 | x [unknown index] | semmle.label | x [unknown index] |
 | test.ps1:75:6:75:10 | ...[...] | semmle.label | ...[...] |
 | test.ps1:76:6:76:7 | x [unknown index] | semmle.label | x [unknown index] |
 | test.ps1:76:6:76:10 | ...[...] | semmle.label | ...[...] |
+| test.ps1:78:1:78:5 | hash [element a] | semmle.label | hash [element a] |
 | test.ps1:78:9:81:1 | ${...} [element a] | semmle.label | ${...} [element a] |
 | test.ps1:79:7:79:17 | Call to source | semmle.label | Call to source |
 | test.ps1:83:6:83:10 | hash [element a] | semmle.label | hash [element a] |

powershell/ql/test/library-tests/dataflow/global/test.expected

@@ -1,12 +1,14 @@
 models
 edges
-| test.ps1:2:14:2:23 | Call to source | test.ps1:5:25:7:1 | <initial env var> env:x | provenance |  |
-| test.ps1:5:25:7:1 | <initial env var> env:x | test.ps1:6:5:6:15 | env:x | provenance |  |
-| test.ps1:16:18:16:27 | Call to source | test.ps1:5:25:7:1 | <initial env var> env:x | provenance |  |
+| test.ps1:2:5:2:23 | env:x | test.ps1:6:5:6:15 | env:x | provenance |  |
+| test.ps1:2:14:2:23 | Call to source | test.ps1:2:5:2:23 | env:x | provenance |  |
+| test.ps1:16:9:16:27 | env:x | test.ps1:6:5:6:15 | env:x | provenance |  |
+| test.ps1:16:18:16:27 | Call to source | test.ps1:16:9:16:27 | env:x | provenance |  |
 nodes
+| test.ps1:2:5:2:23 | env:x | semmle.label | env:x |
 | test.ps1:2:14:2:23 | Call to source | semmle.label | Call to source |
-| test.ps1:5:25:7:1 | <initial env var> env:x | semmle.label | <initial env var> env:x |
 | test.ps1:6:5:6:15 | env:x | semmle.label | env:x |
+| test.ps1:16:9:16:27 | env:x | semmle.label | env:x |
 | test.ps1:16:18:16:27 | Call to source | semmle.label | Call to source |
 subpaths
 testFailures

powershell/ql/test/library-tests/dataflow/mad/flow.expected

@@ -5,19 +5,24 @@ edges
 | file://:0:0:0:0 | [summary param] pos(0, {}) in system.management.automation.language.codegeneration!;Method[escapesinglequotedstringcontent] | file://:0:0:0:0 | [summary] to write: ReturnValue in system.management.automation.language.codegeneration!;Method[escapesinglequotedstringcontent] | provenance |  |
 | file://:0:0:0:0 | [summary] read: Argument[pipeline].Element[?] in microsoft.powershell.utility!;Method[join-string] | file://:0:0:0:0 | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] | provenance |  |
 | file://:0:0:0:0 | [summary] read: Argument[pipeline].Element[?] in microsoft.powershell.utility!;Method[join-string] | file://:0:0:0:0 | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] | provenance |  |
-| test.ps1:1:6:1:15 | Call to source | test.ps1:2:94:2:95 | x | provenance |  |
-| test.ps1:2:6:2:96 | Call to escapesinglequotedstringcontent | test.ps1:3:6:3:7 | y | provenance |  |
+| test.ps1:1:1:1:2 | x | test.ps1:2:94:2:95 | x | provenance |  |
+| test.ps1:1:6:1:15 | Call to source | test.ps1:1:1:1:2 | x | provenance |  |
+| test.ps1:2:1:2:2 | y | test.ps1:3:6:3:7 | y | provenance |  |
+| test.ps1:2:6:2:96 | Call to escapesinglequotedstringcontent | test.ps1:2:1:2:2 | y | provenance |  |
 | test.ps1:2:94:2:95 | x | file://:0:0:0:0 | [summary param] pos(0, {}) in system.management.automation.language.codegeneration!;Method[escapesinglequotedstringcontent] | provenance |  |
 | test.ps1:2:94:2:95 | x | test.ps1:2:6:2:96 | Call to escapesinglequotedstringcontent | provenance |  |
-| test.ps1:5:6:5:15 | Call to source | test.ps1:7:6:7:7 | x | provenance |  |
-| test.ps1:6:6:6:15 | Call to source | test.ps1:7:10:7:11 | y | provenance |  |
+| test.ps1:5:1:5:2 | x | test.ps1:7:6:7:7 | x | provenance |  |
+| test.ps1:5:6:5:15 | Call to source | test.ps1:5:1:5:2 | x | provenance |  |
+| test.ps1:6:1:6:2 | y | test.ps1:7:10:7:11 | y | provenance |  |
+| test.ps1:6:6:6:15 | Call to source | test.ps1:6:1:6:2 | y | provenance |  |
+| test.ps1:7:1:7:2 | z | test.ps1:8:6:8:7 | z | provenance |  |
 | test.ps1:7:6:7:7 | x | test.ps1:7:6:7:11 | ...,... [element 0] | provenance |  |
 | test.ps1:7:6:7:11 | ...,... [element 0] | file://:0:0:0:0 | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 0] | provenance |  |
 | test.ps1:7:6:7:11 | ...,... [element 0] | test.ps1:7:15:7:25 | Call to join-string | provenance |  |
 | test.ps1:7:6:7:11 | ...,... [element 1] | file://:0:0:0:0 | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 1] | provenance |  |
 | test.ps1:7:6:7:11 | ...,... [element 1] | test.ps1:7:15:7:25 | Call to join-string | provenance |  |
 | test.ps1:7:10:7:11 | y | test.ps1:7:6:7:11 | ...,... [element 1] | provenance |  |
-| test.ps1:7:15:7:25 | Call to join-string | test.ps1:8:6:8:7 | z | provenance |  |
+| test.ps1:7:15:7:25 | Call to join-string | test.ps1:7:1:7:2 | z | provenance |  |
 nodes
 | file://:0:0:0:0 | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 0] | semmle.label | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 0] |
 | file://:0:0:0:0 | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 1] | semmle.label | [summary param] pipeline in microsoft.powershell.utility!;Method[join-string] [element 1] |
@@ -27,12 +32,17 @@ nodes
 | file://:0:0:0:0 | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] | semmle.label | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] |
 | file://:0:0:0:0 | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] | semmle.label | [summary] to write: ReturnValue in microsoft.powershell.utility!;Method[join-string] |
 | file://:0:0:0:0 | [summary] to write: ReturnValue in system.management.automation.language.codegeneration!;Method[escapesinglequotedstringcontent] | semmle.label | [summary] to write: ReturnValue in system.management.automation.language.codegeneration!;Method[escapesinglequotedstringcontent] |
+| test.ps1:1:1:1:2 | x | semmle.label | x |
 | test.ps1:1:6:1:15 | Call to source | semmle.label | Call to source |
+| test.ps1:2:1:2:2 | y | semmle.label | y |
 | test.ps1:2:6:2:96 | Call to escapesinglequotedstringcontent | semmle.label | Call to escapesinglequotedstringcontent |
 | test.ps1:2:94:2:95 | x | semmle.label | x |
 | test.ps1:3:6:3:7 | y | semmle.label | y |
+| test.ps1:5:1:5:2 | x | semmle.label | x |
 | test.ps1:5:6:5:15 | Call to source | semmle.label | Call to source |
+| test.ps1:6:1:6:2 | y | semmle.label | y |
 | test.ps1:6:6:6:15 | Call to source | semmle.label | Call to source |
+| test.ps1:7:1:7:2 | z | semmle.label | z |
 | test.ps1:7:6:7:7 | x | semmle.label | x |
 | test.ps1:7:6:7:11 | ...,... [element 0] | semmle.label | ...,... [element 0] |
 | test.ps1:7:6:7:11 | ...,... [element 1] | semmle.label | ...,... [element 1] |