PS: Add taint flow through all operations.

MathiasVP · MathiasVP · commit d0febd7aaeef · 2024-10-17T16:52:16.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll b/powershell/ql/lib/semmle/code/powershell/dataflow/internal/TaintTrackingPrivate.qll
@@ -33,17 +33,22 @@ private module Cached {
    */
   cached
   predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo, string model) {
-    // Although flow through collections is modeled precisely using stores/reads, we still
-    // allow flow out of a _tainted_ collection. This is needed in order to support taint-
-    // tracking configurations where the source is a collection.
-    exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
-      c.isSingleton(any(DataFlow::Content::ElementContent ec))
+    (
+      exists(CfgNodes::ExprNodes::OperationCfgNode op |
+        op = nodeTo.asExpr() and
+        op.getAnOperand() = nodeFrom.asExpr()
+      )
       or
-      c.isKnownOrUnknownElement(_)
-      // or
-      // TODO: We do't generate this one from readSteps yet, but we will as
-      // soon as we start on models-as-data.
-      // c.isAnyElement()
+      // Although flow through collections is modeled precisely using stores/reads, we still
+      // allow flow out of a _tainted_ collection. This is needed in order to support taint-
+      // tracking configurations where the source is a collection.
+      exists(DataFlow::ContentSet c | readStep(nodeFrom, c, nodeTo) |
+        c.isSingleton(any(DataFlow::Content::ElementContent ec))
+        or
+        c.isKnownOrUnknownElement(_)
+        or
+        c.isAnyElement()
+      )
     ) and
     model = ""
   }
