PS: Add more injetion sinks and type models.

Author: MathiasVP

powershell/ql/lib/semmle/code/powershell/Frameworks.qll

@@ -2,3 +2,6 @@
  * Helper file that imports all framework modeling.
  */
 
+import semmle.code.powershell.frameworks.SystemManagementAutomationRunspaces.Runspaces
+import semmle.code.powershell.frameworks.SystemManagementAutomationPowerShell.PowerShell
+import semmle.code.powershell.frameworks.SystemManagementAutomationEngineIntrinsics.EngineIntrinsics

powershell/ql/lib/semmle/code/powershell/dataflow/FlowSummary.qll

@@ -13,6 +13,9 @@ private import internal.DataFlowPrivate
 private module Summaries {
   private import semmle.code.powershell.Frameworks
   private import semmle.code.powershell.frameworks.data.ModelsAsData
+  import RunspaceFactory
+  import PowerShell
+  import EngineIntrinsics
 }
 
 /** A callable with a flow summary, identified by a unique string. */

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationEngineIntrinsics/EngineIntrinsics.qll

@@ -0,0 +1,12 @@
+import powershell
+import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
+private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
+
+module EngineIntrinsics {
+  private class EngineIntrinsicsGlobalEntry extends ModelInput::TypeModel {
+    override DataFlow::Node getASource(string type) {
+      type = "System.Management.Automation.EngineIntrinsics" and
+      result.asExpr().getExpr().(VarReadAccess).getUserPath().toLowerCase() = "executioncontext"
+    }
+  }
+}

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationEngineIntrinsics/model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: sinkModel
+    data:
+      - ["System.Management.Automation.CommandInvocationIntrinsics", "Method[ExpandString].Argument[0]", "command-injection"]
+
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: typeModel
+    data:
+    - ["System.Management.Automation.CommandInvocationIntrinsics","System.Management.Automation.EngineIntrinsics","Member[InvokeCommand]"]

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationPowerShell/PowerShell.qll

@@ -0,0 +1,12 @@
+import powershell
+import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
+private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
+
+module PowerShell {
+  private class PowerShellGlobalEntry extends ModelInput::TypeModel {
+    override DataFlow::Node getASource(string type) {
+      type = "System.Management.Automation.PowerShell!" and
+      result.asExpr().getExpr().(TypeNameExpr).getName().toLowerCase() = "powershell"
+    }
+  }
+}

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationPowerShell/model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: sinkModel
+    data:
+      - ["System.Management.Automation.PowerShell", "Method[AddScript].Argument[0]", "command-injection"]
+      - ["System.Management.Automation.ScriptBlock!", "Method[Create].Argument[0]", "command-injection"]
+
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: typeModel
+    data:
+    - ["System.Management.Automation.PowerShell","System.Management.Automation.PowerShell!","Method[Create].ReturnValue"]

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationRunspaces/Runspaces.qll

@@ -0,0 +1,12 @@
+import powershell
+import semmle.code.powershell.frameworks.data.internal.ApiGraphModels
+private import semmle.code.powershell.dataflow.internal.DataFlowPublic as DataFlow
+
+module RunspaceFactory {
+  private class RunspaceFactoryGlobalEntry extends ModelInput::TypeModel {
+    override DataFlow::Node getASource(string type) {
+      type = "System.Management.Automation.Runspaces.RunspaceFactory!" and
+      result.asExpr().getExpr().(TypeNameExpr).getName().toLowerCase() = "runspacefactory"
+    }
+  }
+}

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationRunspaces/model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: sinkModel
+    data:
+      - ["System.Management.Automation.Runspaces.Runspace", "Method[CreateNestedPipeline].Argument[0]", "command-injection"]
+      - ["System.Management.Automation.Runspaces.Runspace", "Method[CreatePipeline].Argument[0]", "command-injection"]
+
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: typeModel
+    data:
+    - ["System.Management.Automation.Runspaces.Runspace","System.Management.Automation.Runspaces.RunspaceFactory!","Method[CreateRunspace].ReturnValue"]

powershell/ql/lib/semmle/code/powershell/frameworks/SystemManagementAutomationScriptBlock/model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: microsoft-sdl/powershell-all
+      extensible: sinkModel
+    data:
+      - ["System.Management.Automation.ScriptBlock!", "Method[Create].Argument[0]", "command-injection"]

powershell/ql/lib/semmle/code/powershell/frameworks/SystemNetSockets/model.yml

@@ -3,7 +3,7 @@ extensions:
       pack: microsoft-sdl/powershell-all
       extensible: sourceModel
     data:
-      - ["System.Net.Sockets.TcpClient", "Instance.Method[GetStream].ReturnValue", "remote"]
-      - ["System.Net.Sockets.UpdClient", "Instance.Method[EndReceive].ReturnValue", "remote"]
-      - ["System.Net.Sockets.UpdClient", "Instance.Method[Receive].ReturnValue", "remote"]
-      - ["System.Net.Sockets.UpdClient", "Instance.Method[ReceiveAsync].ReturnValue", "remote"]
+      - ["System.Net.Sockets.TcpClient", "Method[GetStream].ReturnValue", "remote"]
+      - ["System.Net.Sockets.UpdClient", "Method[EndReceive].ReturnValue", "remote"]
+      - ["System.Net.Sockets.UpdClient", "Method[Receive].ReturnValue", "remote"]
+      - ["System.Net.Sockets.UpdClient", "Method[ReceiveAsync].ReturnValue", "remote"]